cabal-version: 1.12
name: hackage-security
version: 0.6.2.5
synopsis: Hackage security library
description: The hackage security library provides both server and
client utilities for securing the Hackage package server
(). It is based on The Update
Framework (), a set of
recommendations developed by security researchers at
various universities in the US as well as developers on the
Tor project ().
.
The current implementation supports only index signing,
thereby enabling untrusted mirrors. It does not yet provide
facilities for author package signing.
.
The library has two main entry points:
"Hackage.Security.Client" is the main entry point for
clients (the typical example being @cabal@), and
"Hackage.Security.Server" is the main entry point for
servers (the typical example being @hackage-server@).
license: BSD3
license-file: LICENSE
author: Edsko de Vries
maintainer: cabal-devel@haskell.org
copyright: Copyright 2015-2022 Well-Typed LLP
category: Distribution
homepage: https://github.com/haskell/hackage-security
bug-reports: https://github.com/haskell/hackage-security/issues
build-type: Simple
tested-with:
GHC == 9.8.2
GHC == 9.6.4
GHC == 9.4.8
GHC == 9.2.8
GHC == 9.0.2
GHC == 8.10.7
GHC == 8.8.4
GHC == 8.6.5
GHC == 8.4.4
extra-source-files:
ChangeLog.md
source-repository head
type: git
location: https://github.com/haskell/hackage-security.git
flag use-network-uri
description: Are we using @network-uri@?
manual: False
flag Cabal-syntax
description: Are we using Cabal-syntax?
manual: False
default: False
flag lukko
description: Use @lukko@ for file-locking, otherwise use @GHC.IO.Handle.Lock@
manual: True
default: True
library
-- Most functionality is exported through the top-level entry points .Client
-- and .Server; the other exported modules are intended for qualified imports.
exposed-modules: Hackage.Security.Client
Hackage.Security.Client.Formats
Hackage.Security.Client.Repository
Hackage.Security.Client.Repository.Cache
Hackage.Security.Client.Repository.Local
Hackage.Security.Client.Repository.Remote
Hackage.Security.Client.Repository.HttpLib
Hackage.Security.Client.Verify
Hackage.Security.JSON
Hackage.Security.Key.Env
Hackage.Security.Server
Hackage.Security.Trusted
Hackage.Security.TUF.FileMap
Hackage.Security.Util.Checked
Hackage.Security.Util.Path
Hackage.Security.Util.Pretty
Hackage.Security.Util.Some
Text.JSON.Canonical
other-modules: Hackage.Security.Key
Hackage.Security.Trusted.TCB
Hackage.Security.TUF
Hackage.Security.TUF.Common
Hackage.Security.TUF.FileInfo
Hackage.Security.TUF.Header
Hackage.Security.TUF.Layout.Cache
Hackage.Security.TUF.Layout.Index
Hackage.Security.TUF.Layout.Repo
Hackage.Security.TUF.Mirrors
Hackage.Security.TUF.Paths
Hackage.Security.TUF.Patterns
Hackage.Security.TUF.Root
Hackage.Security.TUF.Signed
Hackage.Security.TUF.Snapshot
Hackage.Security.TUF.Targets
Hackage.Security.TUF.Timestamp
Hackage.Security.Util.Base64
Hackage.Security.Util.Exit
Hackage.Security.Util.IO
Hackage.Security.Util.JSON
Hackage.Security.Util.Lens
Hackage.Security.Util.Stack
Hackage.Security.Util.TypedEmbedded
build-depends: base >= 4.11 && < 4.20,
base16-bytestring >= 0.1.1 && < 1.1,
base64-bytestring >= 1.0 && < 1.3,
bytestring >= 0.10.8.2 && < 0.13,
containers >= 0.5.11 && < 0.8,
cryptohash-sha256 >= 0.11 && < 0.12,
directory >= 1.3.1.5 && < 1.4,
ed25519 >= 0.0 && < 0.1,
filepath >= 1.4.2 && < 1.5,
mtl >= 2.2.2 && < 2.4,
parsec >= 3.1.13 && < 3.2,
pretty >= 1.0 && < 1.2,
-- 0.4.2 introduces TarIndex, 0.4.4 introduces more
-- functionality, 0.5.0 changes type of serialise
tar >= 0.5 && < 0.7,
template-haskell >= 2.13 && < 2.22,
time >= 1.8.0.2 && < 1.13,
transformers >= 0.3 && < 0.7,
zlib >= 0.5 && < 0.8,
-- whatever versions are bundled with ghc:
ghc-prim >= 0.5.2 && < 0.12
if flag(lukko)
build-depends: lukko >= 0.1 && < 0.2
else
build-depends: base >= 4.11
if flag(Cabal-syntax)
build-depends: Cabal-syntax >= 3.7 && < 3.14
else
build-depends: Cabal >= 2.2.0.1 && < 2.6
|| >= 3.0 && < 3.7,
Cabal-syntax < 3.7
hs-source-dirs: src
default-language: Haskell2010
default-extensions: DefaultSignatures
DeriveDataTypeable
DeriveFunctor
FlexibleContexts
FlexibleInstances
GADTs
GeneralizedNewtypeDeriving
KindSignatures
MultiParamTypeClasses
NamedFieldPuns
NoImplicitPrelude
NoMonomorphismRestriction
PatternSynonyms
RankNTypes
RecordWildCards
ScopedTypeVariables
StandaloneDeriving
TupleSections
TypeFamilies
TypeOperators
ViewPatterns
other-extensions:
AllowAmbiguousTypes
BangPatterns
CPP
DeriveLift
OverlappingInstances
PackageImports
RoleAnnotations
StaticPointers
UndecidableInstances
ghc-options: -Wall
-- The URI type got split out off the network package after version 2.5, and
-- moved to a separate network-uri package. Since we don't need the rest of
-- network here, it would suffice to rely only on network-uri:
--
-- > if flag(use-network-uri)
-- > build-depends: network-uri >= 2.6 && < 2.7
-- > else
-- > build-depends: network >= 2.5 && < 2.6
--
-- However, if we did the same in hackage-security-HTTP, Cabal would consider
-- those two flag choices (hackage-security:use-network-uri and
-- hackage-security-HTTP:use-network-uri) to be completely independent; but
-- they aren't: if it links hackage-security against network-uri and
-- hackage-security-HTTP against network, we will get type errors when
-- hackage-security-HTTP tries to pass a URI to hackage-security.
--
-- It might seem we can solve this problem by re-exporting the URI type in
-- hackage-security and avoid the dependency in hackage-security-HTTP
-- altogether. However, this merely shifts the problem: hackage-security-HTTP
-- relies on the HTTP library which--surprise!--makes the same choice between
-- depending on network or network-uri. Cabal will not notice that we cannot
-- build hackage-security and hackage-security-HTTP against network-uri but
-- HTTP against network.
--
-- We solve the problem by explicitly relying on network-2.6 when choosing
-- network-uri. This dependency is redundant, strictly speaking. However, it
-- serves as a proxy for forcing flag choices: since all packages in a
-- solution must be linked against the same version of network, having one
-- version of network in one branch of the conditional and another version of
-- network in the other branch forces the choice to be consistent throughout.
-- (Note that the HTTP library does the same thing, though in this case the
-- dependency in network is not redundant.)
if flag(use-network-uri)
build-depends: network-uri >= 2.6 && < 2.7,
network >= 2.6 && < 2.9
|| >= 3.0 && < 3.2
else
build-depends: network >= 2.5 && < 2.6
test-suite TestSuite
type: exitcode-stdio-1.0
main-is: TestSuite.hs
other-modules: TestSuite.HttpMem
TestSuite.InMemCache
TestSuite.InMemRepo
TestSuite.InMemRepository
TestSuite.JSON
TestSuite.PrivateKeys
TestSuite.Util.StrictMVar
-- inherited constraints from lib:hackage-security component
build-depends: hackage-security,
base,
containers,
bytestring,
network-uri,
tar,
text,
time,
zlib
if flag(Cabal-syntax)
build-depends: Cabal >= 3.7 && < 3.14,
Cabal-syntax >= 3.7 && < 3.14
else
build-depends: Cabal >= 2.2.0.1 && < 2.6
|| >= 3.0 && < 3.7,
Cabal-syntax < 3.7
-- dependencies exclusive to test-suite
build-depends: tasty >= 1.2 && < 1.6,
tasty-hunit == 0.10.*,
tasty-quickcheck == 0.10.*,
QuickCheck >= 2.11 && <2.15,
aeson >= 1.4 && < 1.6 || >= 2.0 && < 2.3,
vector >= 0.12 && <0.14,
unordered-containers >=0.2.8.0 && <0.3,
temporary >= 1.2 && < 1.4
hs-source-dirs: tests
default-language: Haskell2010
default-extensions: FlexibleContexts
GADTs
KindSignatures
RankNTypes
RecordWildCards
ScopedTypeVariables
ghc-options: -Wall