stackage VS ring

Writing Haskell programs that rely on third-party packages is still an issue when it’s a not actively maintained package. They get out of date with the base library (Haskell’s standard library), and you might see yourself in a situation where you need to downgrade to an older version. This is not exclusive to Haskell, but it happens more often than I’d like to assume. However, if you only rely on known well-maintained libraries/frameworks such as Aeson, Squeleto, Yesod, and Parsec, to name a few, it’s unlikely you will face troubles at all, you just need to be more mindful of what you add as a dependency. There’s stackage.org now, a repository that works with Stack, providing a set of packages that are proven to work well together and help us to have reproducible builds in a more manageable way—not the solution for all the cases but it’s good to have it as an option.

> That is fine, as far as it goes, but obviously this will, at some point, be at odds with the interests of programmers looking to use Haskell as a practical, stable tool.

That's what Stackage is.

Stackage provides consistent sets of Haskell packages, known to build together and pass their tests before becoming Stackage Nightly snapshots and LTS (Long Term Support) releases. [1]

Java will never get this.

[1] https://www.stackage.org/

makefile_dir := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) export PATH := $(makefile_dir):$(PATH) project_name ?= project_main ?= src/.hs retag_file ?= $(project_main) stack.yaml: @test -f stack.yaml || (echo -e "This makefile requires a 'stack.yaml' for your project.\nYou don't need to use 'stack' to build your project.\nYou just need a 'stack.yaml' specifying a resolver compatible with your GHC version.\nSee https://www.stackage.org/" && exit 1) stack: stack.yaml @which stack || (echo -e "This makefile requires 'stack' to be on your path. Use GHCup to install it.\nSee https://www.haskell.org/ghcup/" && exit 1) .PHONY: stack warning.txt: -@uname -a | grep -q Darwin && echo "WARNING: On Mac, you must alias 'make' to 'gmake' in your shell config file (e.g. ~/.bashrc or ~/.zshrc). Symbolic links will not work." | tee warning.txt @echo "Add 'warning.txt' to your .gitignore file if you never want to see this message again." hasktags: warning.txt stack @echo 'stack exec -- hasktags' > hasktags @chmod +x hasktags @echo "You might like to add 'hasktags' to your .gitignore file." format: stack @stack exec -- fourmolu --stdin-input-file $(project_main) .PHONY: format retag: warning.txt stack @stack exec -- haskdogs -i $(retag_file) --hasktags-args "-x -c -a" | sort -u -o tags tags .PHONY: retag tags: warning.txt hasktags stack @stack exec -- haskdogs .PHONY: tags ghcid: stack @stack exec -- ghcid \ --command 'stack repl --ghc-options "-fno-code -fno-break-on-exception -fno-break-on-error -v1 -ferror-spans -j"' \ --restart stack.yaml \ --restart $(project_name).cabal \ --warnings \ --outputfile ./ghcid.txt .PHONY: ghcid

(why lts-18.28? it's the latest 8.10 release on https://www.stackage.org/ )

I don't see way community maintenance can change the GHC for nightly.

It makes total sense that it fails since at no point I requested that the library be installed, which makes me wonder: Is there any way to request Hackage to install SDL and GLEW before attempting the build? I see Stackage has debian-bootstrap.sh. Does something similar exist for Hackage?

At this point, you can try a Stack snapshot that uses an older version of GHC. Looking at Stackage, you can see that the latest version before 8.10.* is 8.8.4 (using LTS 16.31). Starting over with that snapshot, you find that the packages that you need are in the snapshot and work.

On the contrary, I think this is standard practice for packages which are part of stackage. When stackage nightly switches to a new version of ghc, all the packages which are incompatible with the new ghc are dropped from nightly. My understanding is that maintainers are then expected to fix their packages, at which point more and more packages are included in the nightly snapshot. The next lts to include that version of ghc is only released later, once most packages have been added back, so unlike ghc users who diligently upgrade to the latest ghc, stackage users who diligently upgrade the latest lts snapshot shouldn't see a big drop in the number of compatible packages.

I found the latest stack lts version, and it's associated ghc version here: https://www.stackage.org/

Again, this is just a temporary situation, and a matter of burning down a list of small tasks. Not that the OpenSSL license issue is a big deal for most anyway. Feel free to help; see this issue filed by Josh Triplett: https://github.com/briansmith/ring/issues/1318#issuecomment-...

Note also that rustls depends on ring, which has architecture-dependent code in it that is not as widely compatible as eg. OpenSSL/GnuTLS/Mbed-TLS. For example, MIPS is not supported by ring.

The AWS Rust library we were using as a dependency depended on a cryptography library called ring. This library leverages C and assembly code to implement its cryptographic primitives. Unfortunately, cross compiling when C is involved can add complexity to the build process. While it might've been possible to overcome these issues I decided that it wasn't worth digging into more.

That'd be great. Thanks Brian. Re: making ring portable to all platforms: IBM have been graciously maintaining a up to date patchset for Ring for years now and there's an outstanding PR here you may not have seen since they filed it in 2020... https://github.com/briansmith/ring/pull/1057

Beyond the simple matter of Rust being much newer than OpenSSL, one concern for some cryptographic primitives is the timing side-channel.

https://en.wikipedia.org/wiki/Timing_attack

In high level languages like Rust, the compiler does not prioritise trying to emit machine code which executes in constant time for all inputs. OpenSSL has implementations for some primitives which are known to be constant time, which can be important.

One option if you're working with Rust anyway would be use something like Ring:

https://github.com/briansmith/ring

Ring's primitives are just taken from BoringSSL which is Google's fork of OpenSSL, they're a mix of C and assembly language, it's possible (though fraught) to write some constant time algorithms in C if you know which compiler will be used, and of course it's possible (if you read the performance manuals carefully) to write constant time assembly in many cases.

In the C / assembly language code of course you do not have any safety benefits.

It can certainly make sense to do this very tricky primitive stuff in dangerous C or assembly, but then write all the higher level stuff in Rust, and that's the sort of thing Ring is intended for. BoringSSL for example includes code to do X.509 parsing and signature validation in C, but those things aren't sensitive, a timing attack on my X.509 parsing tells you nothing of value, and it's complicated to do correctly so Rust could make sense.

machine learning, neural networks, image processing, cryptography (though it is getting better), font shaping/rendering (though it is getting better), CPU/software rendering (though it is getting better)