Label vincenthz packages as deprecated on Hackage
Kleidukos opened this issue · comments
-
How and when was the maintainer for the package requiring action contacted?
The maintainer has decided to cease all activities in the Haskell ecosystem, and for some select packages, forks have been set in place. The TLS libraries have been handed over to a new maintainer, but most things have been abandoned with no intent to hand over maintainership. -
If available, a link to the filed issue in the upstream issue tracker
These repositories have been archived, and as such it is not possible to interact on the issue tracker -
How critical is this?
For cryptography package it is primordial to drive people away from clearly deprecated packages.
Some other names likegit
,connection
,packer
orpem
could be reused for actually maintained libraries.
(non-exhaustive) List of packages
- foundation
- basement
- memory
- cryptonite in favour of crypton
- cryptohash-cryptoapi
- gauge
- git
- language-java
- connection
- hit
- hourglass
- professor
- asn1
- socks
- libgit
- cabal-db
- securemem
- packer
- siphash
- unix-memory
- pem
- crypto-pubkey-types
- fileformat
- cstruct
- byteable
e.g. tls
depends on asn1-types
which depends on hourglass
. tls
also depends on memory
directly. crypton
depends on memory
and basement
.
I feel it's better to do nothing for most of these packages.
The deprecation cryptonite
in favour of crypton
makes sense. In particular there is the superseding package. But for something like asn1-*
family of packages there simply aren't alternatives, AFAIK.
TL;DR, they are not deprecated, they are abandoned. That is not the same.
Understandable
basement
and foundation
have been recently refreshed on Hackage (June 2023) and have @snoyberg listed as (Hackage) maintainer, so they should be good for a while.
I suggest we mark:
cryptonite
deprecated in favor ofcrypton
,cryptohash-md5
,cryptohash-sha1
,cryptohash-sha256
,cryptohash-sha512
(plenty ofcryptonite
clients use it just for hashes),gauge
deprecated in favor oftasty-bench
andcriterion
.
I'm not aware of any easy replacement for memory
, and the rest of Vincent's legacy is not that widely used.
Would it be possible for trustees to swap out dependencies on connection
for crypton-connection
? Or is that not permitted?
In particular, I am thinking of:
Would it be possible for trustees to swap out dependencies
No, revisions cannot change the dependencies; only their version ranges.
For the reference, gauge
is broken on aarch64 with
cbits/cycles.c:55:2: error:
error: Unsupported OS/architecture/compiler!
|
55 | #error Unsupported OS/architecture/compiler!
| ^
#error Unsupported OS/architecture/compiler!
and on any arch with GHC 9.10 because of vendored-in math-functions
:
math-functions/Numeric/Sum.hs:138:19: error: [GHC-87543]
Ambiguous occurrence ‘foldl'’.
It could refer to
either ‘Prelude.foldl'’,
imported from ‘Prelude’ at math-functions/Numeric/Sum.hs:25:8-18
(and originally defined in ‘ghc-internal-9.1001.0:GHC.Internal.Data.Foldable’),
or ‘Data.Vector.Generic.foldl'’,
imported from ‘Data.Vector.Generic’ at math-functions/Numeric/Sum.hs:35:41-46.
|
138 | sumVector f = f . foldl' add zero
|
And cryptonite
has several unmitigated issues such as kazu-yamamoto/crypton#22 and haskell-crypto/cryptonite#374 (aka kazu-yamamoto/crypton#1).