Cabal-install 3.10.2.0 released

Announcements
#1

Dear all,
cabal-install 3.10.2.0 has been released and is available in ghcup as well as on downloads.haskell.org.

This allowed the cabal team to refine our release process. Especially, the effort put in by our QA testers has been crucial in validating contributions changing user-facing behaviour.

Release notes for cabal-install 3.10.2.0: https://github.com/haskell/cabal/blob/master/release-notes/cabal-install-3.10.2.0.md

You can join the Cabal development community on Matrix at #hackage:matrix.org

Cheers,
HĆ©cate

18 Likes
GHC 9.8.1 is now available
#2

Yay, I was waiting for this fix:

  • add base to cabal install --lib default env file #8903
    This adds base by default to the env file created by cabal install --lib. Further it ensures that packagedbs have been created before adding them to the env file.
3 Likes
#3

Using my docker image glcr.b-data.ch/ghc/ghc-musl:9.8.1:

cabal update \
  && cabal install --allow-newer --constraint 'Cabal-syntax<3.11' cabal-install-3.10.2.0

[...]
Installing   cabal-install-solver-3.10.1.0 (lib)
Completed    cabal-install-solver-3.10.1.0 (lib)
Starting     cabal-install-3.10.2.0 (lib)
Building     cabal-install-3.10.2.0 (lib)
Installing   cabal-install-3.10.2.0 (lib)
Completed    cabal-install-3.10.2.0 (lib)
Starting     cabal-install-3.10.2.0 (exe:cabal)
Building     cabal-install-3.10.2.0 (exe:cabal)
Installing   cabal-install-3.10.2.0 (exe:cabal)
Completed    cabal-install-3.10.2.0 (exe:cabal)
Symlinking 'cabal' to '/root/.local/bin/cabal'
0e1c8bd414fd:/# /root/.local/bin/cabal --version
cabal-install version 3.10.1.0
compiled using version 3.10.2.0 of the Cabal library

Why does it output cabal-install version 3.10.1.0?

#4

Iā€™m investigating, thank you

2 Likes
#5

Congratulations on this much awaited bug-fix release and thank you @Kleidukos for relentlessly stomping through the undending stream of last minute requests, bugs, fixes and devops overhauls that lead to the 3.10.2.0 release.

8 Likes
#6

I opened an issue:

2 Likes
#7

Thanks again @benz0li, this has been fixed with cabal-install 3.10.2.1!

3 Likes
#8

Glad to see a new release! Iā€™m not sure if you mean to keep the ā€œreleasesā€ tab on github up to date, if so, this one is misssing :slight_smile:

Any thoughts on when multi-home support will land? I am dying to use that feature in my repl!

1 Like
#9

Iā€™m not sure if you mean to keep the ā€œreleasesā€ tab on github up to date, if so, this one is misssing :slight_smile:

Thank you, it is now available here: Release cabal v3.10.2.1 Ā· haskell/cabal Ā· GitHub

#10

@m4dc4p this will have to be Cabal 3.12, which is not scheduled yet. Perhaps, will coincide with the next GHC release. Unless thereā€™s a volunteer to make that release earlier :slight_smile:

1 Like
#11

let me add that this version of cabal-install fixes a modest but real security issue, and iā€™d urge users to upgrade: https://github.com/haskell/security-advisories/blob/main/advisories/hackage/cabal-install/HSEC-2023-0015.md

some repos (such as head.hackage) were not keeping their timestamp.json up to date, and now that cabal-install properly checks this, users may find problems until the repos fix this. in the meantime, the --ignore-expiry flag can be used.

5 Likes
#12

Will this be backported to 3.6 and 3.8? Can you point us to the commit that fixes it?

#13

Thereā€™s no plans for a backport. The commit fixing it is linked in the advisory above, but for reference:

#14

Since 3.10.2 is broken on windows, I suggest a backport.

1 Like
#15
1 Like
#16

For people who canā€™t update to 3.10.2.0 (e.g. due to windows regression), I have backported the fix downstream and created a distributor release 3.6.2.0-p1, which now is the new ā€˜recommendedā€™ version, until 3.10 branch fixes the regressions.

To update, run either:

ghcup install cabal 3.6.2.0-p1

or

ghcup install cabal 3.10.2.0

All other vulnerable versions that the user tries to install are going to write a post-install message:

[ Info  ] This release is vulnerable: https://github.com/haskell/security-advisories/blob/main/advisories/hackage/cabal-install/HSEC-2023-0015.md
[ ...   ] Update to 3.6.2.0-p1 or 3.10.2.0.
[ ...   ]

Further, I have opened Disclosure policies Ā· Issue #129 Ā· haskell/security-advisories Ā· GitHub to improve the disclosure process.

There will also be some design discussion on how ghcup can more conveniently warn users of vulnerable tool versions: Better mechanism to respond to security advisories and warn users Ā· Issue #932 Ā· haskell/ghcup-hs Ā· GitHub

3 Likes
#17

note: weā€™ve made progress on the single windows regression i know of, tracing it to an intermittent failure in cabal run having to do with the compiled script caching mechanism producing (depending on the hash) filepaths which are valid on windows but problematic specifically to llvm-ar. hopefully we can resolve this soon and get out a new version of cabal-install which works well on all platforms, including in this circumstance.

5 Likes