cabal-version: 1.12
name: hackage-security
version: 0.6.0.1
x-revision: 2
synopsis: Hackage security library
description: The hackage security library provides both server and
client utilities for securing the Hackage package server
(). It is based on The Update
Framework (), a set of
recommendations developed by security researchers at
various universities in the US as well as developers on the
Tor project ().
.
The current implementation supports only index signing,
thereby enabling untrusted mirrors. It does not yet provide
facilities for author package signing.
.
The library has two main entry points:
"Hackage.Security.Client" is the main entry point for
clients (the typical example being @cabal@), and
"Hackage.Security.Server" is the main entry point for
servers (the typical example being @hackage-server@).
license: BSD3
license-file: LICENSE
author: Edsko de Vries
maintainer: cabal-devel@haskell.org
copyright: Copyright 2015-2016 Well-Typed LLP
category: Distribution
homepage: https://github.com/haskell/hackage-security
bug-reports: https://github.com/haskell/hackage-security/issues
build-type: Simple
tested-with: GHC==8.10.1, GHC==8.8.3, GHC==8.6.5, GHC==8.4.4, GHC==8.2.2, GHC==8.0.2,
GHC==7.10.3, GHC==7.8.4, GHC==7.6.3, GHC==7.4.2
extra-source-files:
ChangeLog.md
source-repository head
type: git
location: https://github.com/haskell/hackage-security.git
flag base48
description: Are we using @base@ 4.8 or later?
manual: False
flag use-network-uri
description: Are we using @network-uri@?
manual: False
flag old-directory
description: Use @directory@ < 1.2 and @old-time@
manual: False
default: False
flag mtl21
description: Use @mtl@ < 2.2 and @mtl-compat@
manual: False
default: False
flag lukko
description: Use @lukko@ for file-locking, otherwise use @GHC.IO.Handle.Lock@
manual: True
default: True
library
-- Most functionality is exported through the top-level entry points .Client
-- and .Server; the other exported modules are intended for qualified imports.
exposed-modules: Hackage.Security.Client
Hackage.Security.Client.Formats
Hackage.Security.Client.Repository
Hackage.Security.Client.Repository.Cache
Hackage.Security.Client.Repository.Local
Hackage.Security.Client.Repository.Remote
Hackage.Security.Client.Repository.HttpLib
Hackage.Security.Client.Verify
Hackage.Security.JSON
Hackage.Security.Key.Env
Hackage.Security.Server
Hackage.Security.Trusted
Hackage.Security.TUF.FileMap
Hackage.Security.Util.Checked
Hackage.Security.Util.Path
Hackage.Security.Util.Pretty
Hackage.Security.Util.Some
Text.JSON.Canonical
other-modules: Hackage.Security.Key
Hackage.Security.Trusted.TCB
Hackage.Security.TUF
Hackage.Security.TUF.Common
Hackage.Security.TUF.FileInfo
Hackage.Security.TUF.Header
Hackage.Security.TUF.Layout.Cache
Hackage.Security.TUF.Layout.Index
Hackage.Security.TUF.Layout.Repo
Hackage.Security.TUF.Mirrors
Hackage.Security.TUF.Paths
Hackage.Security.TUF.Patterns
Hackage.Security.TUF.Root
Hackage.Security.TUF.Signed
Hackage.Security.TUF.Snapshot
Hackage.Security.TUF.Targets
Hackage.Security.TUF.Timestamp
Hackage.Security.Util.Base64
Hackage.Security.Util.Exit
Hackage.Security.Util.IO
Hackage.Security.Util.JSON
Hackage.Security.Util.Lens
Hackage.Security.Util.Stack
Hackage.Security.Util.TypedEmbedded
Prelude
-- We support ghc 7.4 (bundled with Cabal 1.14) and up
build-depends: base >= 4.5 && < 4.15,
base16-bytestring >= 0.1.1 && < 0.2,
base64-bytestring >= 1.0 && < 1.2,
bytestring >= 0.9 && < 0.11,
Cabal >= 1.14 && < 1.26
|| >= 2.0 && < 2.6
|| >= 3.0 && < 3.6,
containers >= 0.4 && < 0.7,
ed25519 >= 0.0 && < 0.1,
filepath >= 1.2 && < 1.5,
parsec >= 3.1 && < 3.2,
pretty >= 1.0 && < 1.2,
cryptohash-sha256 >= 0.11 && < 0.12,
-- 0.4.2 introduces TarIndex, 0.4.4 introduces more
-- functionality, 0.5.0 changes type of serialise
tar >= 0.5 && < 0.6,
template-haskell >= 2.7 && < 2.17,
time >= 1.2 && < 1.11,
transformers >= 0.3 && < 0.6,
zlib >= 0.5 && < 0.7,
-- whatever versions are bundled with ghc:
ghc-prim
if flag(old-directory)
build-depends: directory >= 1.1.0.2 && < 1.2,
old-time >= 1 && < 1.2
else
build-depends: directory >= 1.2 && < 1.4
if flag(mtl21)
build-depends: mtl >= 2.1 && < 2.2,
mtl-compat >= 0.2 && < 0.3
else
build-depends: mtl >= 2.2 && < 2.3
if flag(lukko)
build-depends: lukko >= 0.1 && < 0.2
else
build-depends: base >= 4.10
hs-source-dirs: src
default-language: Haskell2010
default-extensions: DefaultSignatures
DeriveDataTypeable
DeriveFunctor
FlexibleContexts
FlexibleInstances
GADTs
GeneralizedNewtypeDeriving
KindSignatures
MultiParamTypeClasses
NamedFieldPuns
NoMonomorphismRestriction
RankNTypes
RecordWildCards
ScopedTypeVariables
StandaloneDeriving
TupleSections
TypeFamilies
TypeOperators
ViewPatterns
other-extensions: BangPatterns
CPP
OverlappingInstances
PackageImports
UndecidableInstances
-- use the new stage1/cross-compile-friendly DeriveLift extension for GHC 8.0+
if impl(ghc >= 8.0)
other-extensions: DeriveLift
else
other-extensions: TemplateHaskell
ghc-options: -Wall
if flag(base48)
build-depends: base >= 4.8
else
build-depends: base < 4.8, old-locale == 1.0.*
-- The URI type got split out off the network package after version 2.5, and
-- moved to a separate network-uri package. Since we don't need the rest of
-- network here, it would suffice to rely only on network-uri:
--
-- > if flag(use-network-uri)
-- > build-depends: network-uri >= 2.6 && < 2.7
-- > else
-- > build-depends: network >= 2.5 && < 2.6
--
-- However, if we did the same in hackage-security-HTTP, Cabal would consider
-- those two flag choices (hackage-security:use-network-uri and
-- hackage-security-HTTP:use-network-uri) to be completely independent; but
-- they aren't: if it links hackage-security against network-uri and
-- hackage-security-HTTP against network, we will get type errors when
-- hackage-security-HTTP tries to pass a URI to hackage-security.
--
-- It might seem we can solve this problem by re-exporting the URI type in
-- hackage-security and avoid the dependency in hackage-security-HTTP
-- altogether. However, this merely shifts the problem: hackage-security-HTTP
-- relies on the HTTP library which--surprise!--makes the same choice between
-- depending on network or network-uri. Cabal will not notice that we cannot
-- build hackage-security and hackage-security-HTTP against network-uri but
-- HTTP against network.
--
-- We solve the problem by explicitly relying on network-2.6 when choosing
-- network-uri. This dependency is redundant, strictly speaking. However, it
-- serves as a proxy for forcing flag choices: since all packages in a
-- solution must be linked against the same version of network, having one
-- version of network in one branch of the conditional and another version of
-- network in the other branch forces the choice to be consistent throughout.
-- (Note that the HTTP library does the same thing, though in this case the
-- dependency in network is not redundant.)
if flag(use-network-uri)
build-depends: network-uri >= 2.6 && < 2.7,
network >= 2.6 && < 2.9
|| >= 3.0 && < 3.2
else
build-depends: network >= 2.5 && < 2.6
if impl(ghc >= 7.8)
other-extensions: RoleAnnotations
if impl(ghc >= 7.10)
other-extensions: AllowAmbiguousTypes
StaticPointers
test-suite TestSuite
type: exitcode-stdio-1.0
main-is: TestSuite.hs
other-modules: TestSuite.HttpMem
TestSuite.InMemCache
TestSuite.InMemRepo
TestSuite.InMemRepository
TestSuite.JSON
TestSuite.PrivateKeys
TestSuite.Util.StrictMVar
-- inherited constraints from lib:hackage-security component
build-depends: hackage-security,
base,
Cabal,
containers,
bytestring,
network-uri,
tar,
time,
zlib
-- dependencies exclusive to test-suite
build-depends: tasty == 1.2.*,
tasty-hunit == 0.10.*,
tasty-quickcheck == 0.10.*,
QuickCheck >= 2.11 && <2.14,
aeson == 1.4.*,
vector == 0.12.*,
unordered-containers >=0.2.8.0 && <0.3,
temporary >= 1.2 && < 1.4
hs-source-dirs: tests
default-language: Haskell2010
default-extensions: FlexibleContexts
GADTs
KindSignatures
RankNTypes
RecordWildCards
ScopedTypeVariables
ghc-options: -Wall