Haskell GitHub Trust is for Other People’s Packages

The Haskell GitHub Trust is new GitHub organization for community maintenance of Haskell packages.

If you find an under-maintained Haskell package which is useful but just needs a little freshening up, you generally have two good options.

  1. Submit a PR and pester the maintainer to publish a new version. Then next year another person who wants to use the package will have to repeat this process.
  2. Ask to become a maintainer. Then next year another person who wants to use the package will pester you.

The Haskell GitHub Trust gives you a third option:

  1. Add the package to the Haskell Github Trust.

All Trust Owners can publish any package in the Trust. It’s easy to become a Trust Owner if you have any reputation at all in the Haskell community.

12 Likes

I don’t feel like setting up a Haskell Gitlab Trust, but I encourage you to do so.

3 Likes

Thanks for setting this up. I passed over repos including my very first package:

  • pureMD5
  • random-string
  • crypto-api
  • fgl-visualize
  • vector-strategies

I’m still around and these packages have needed nothing for forever (also have likely zero users), but this seems like a good place for functioning, low change, code.

2 Likes

It was @TomMD who goaded me into launching the Haskell GitHub Trust. https://twitter.com/MDTom/status/1653228621627293699

1 Like

Thank you for this initiative! It’s good to see someone dealing with this and I’m hopeful that it can help. But I’m a little confused about how to use it, and I’d like to ask some questions.

Let’s say I notice a package on Hackage that I’d like to put onto the GitHub Trust, like the situation in the recent thread by @unlocked2412 about the clipping package. What should I do?

(In particular, do I need to get permission to take over the package and become the Hackage maintainer? Or is having a GitHub fork of the repository enough? The announcement says it’s for “other people’s packages” and your Twitter discussion mentions unilaterally forking, but the rules on the GitHub Trust page disallow “transferring a package repository without permission of the maintainer”, which seems like it contradicts that. Am I misunderstanding something?)

Also, can you add packages to the Trust or request changes to them if you are not a Trust Owner? Should everyone who wants to add to or change Trust packages become an Owner?

1 Like

Great questions.


do I need to get permission to take over the package and become the Hackage maintainer?

Yes, you will need permission, either from the package owner, or from the Hackage Trustees.

I just improved the Haskell GitHub Trust README about how to add other people’s packages to the Trust. I hope it’s clearer now.

How to add other people’s packages to the Trust

  1. Follow the instructions in Taking over a package with your own Hackage account. Declare your intent to add the package to the Haskell GitHub Trust.
  2. Add the Hackage account haskell_github_trust to the list of package Maintainers.
  3. Transfer or fork the package repository into this org.

the rules on the GitHub Trust page disallow “transferring a package repository without permission of the maintainer”

I just clarified that on the README to

  • Transfers a package repository out of this org without permission of the maintainer

can you add packages to the Trust or request changes to them if you are not a Trust Owner?

No. But it’s easy to become a Trust Owner. EDIT Yes, you can add packages to the Trust without being a Trust Owner. Anyone can donate their packages to the Trust with this easy two-step process.

You can also request changes in the usual way, by creating GitHub issues or PRs.

4 Likes

Thank you! That answers all my questions and clarifies everything. I totally understand the need to get permission to change a package on Hackage.

It would be nice to put some packages into the Trust, but I’m a little wary of using the package takeover process, out of reluctance to spam this or other forums with requests and increase the burden on Hackage trustees. There are hundreds of abandoned packages, and bulk-emailing all the maintainers and asking to take over all of them would probably be problematic. Should only the more useful packages be selected? What counts as useful, and how many is too many? If a maintainer doesn’t respond, how long should you wait before making a public request?

I realise that these are questions that can’t necessarily be answered right away by one person, but I feel like it would be easier to contribute if I had answers to them, so I’m sharing my thoughts in the hope of furthering the discussion and maybe helping other people to participate too.

1 Like

There are hundreds of abandoned packages, and bulk-emailing all the maintainers and asking to take over all of them would probably be problematic. Should only the more useful packages be selected?

I think the best way to approach this is to add packages to the Trust lazily, when you need them, one at a time.

When you encounter a package that you need but the package owner is no longer interested in maintaining the package, then start by suggesting to the package owner to add the package to the Trust.

1 Like

Thank you again. That seems like a sensible policy.

1 Like