[darcs-devel] ssh release needed (Re: status of darcsden repo)

Simon Michael simon at joyful.com
Wed Jul 1 22:40:34 UTC 2020 

On 6/30/20 1:17 PM, Simon Michael wrote:>> On Jun 30, 2020, at 11:46, 
Simon Michael <simon at joyful.com> wrote:
 >> On Tue, Jun 30, 2020, at 11:28 AM, Ganesh Sittampalam wrote:
 >>> Deprecation+bundling seems reasonable to me if you'd rather it not 
be independent.
 >>
 >> Thanks Ganesh. It's not that, but if it's only a component of 
darcsden then it seems to make sense, reducing busywork. One package 
instead of two.
 >
 > Actually I take that back, the simplest thing is just to upload a new 
ssh release, isn’t it.


Continuing this darcsden-related thread here, I hope it's not too off 
topic.

With Ganesh's blessing, I have done a bit more cleanup towards a ssh 0.4 
release (changelog, updating metadata, listing myself and Ganesh as 
comaintainers). You can review the latest at https://hub.darcs.net/simon/ssh

I had updated the cabal file to point to this as the official repo, but 
I see a new problem: the issue tracker is in Ganesh's, and can't easily 
be moved: https://hub.darcs.net/ganesh/ssh/issues/all

So maybe it's better to keep Ganesh's repo as the official one. Ie when 
the time comes, Ganesh can replace his last N patches (forking a backup 
first if needed) with the latest from my repo.

Here's what I see remaining to do before 0.4 release:

1. fix the failing tests. A release blocker.

2. fix compilation warnings if at all possible.

3. fix the three strangely unindented do blocks in SSH.hs that compile 
only under Haskell98 (change that to Haskell2010 in the cabal file to 
see them, eg line 154). Alex Suraci might get back to me on this, or we 
can review this code and decide if the blocks should or should not be 
indented/conditionalised, or we can ignore them and keep compiling as 
Haskell98. Not a release blocker.

4. tests hang when I run them on a particular machine (a VPS). Not too 
important.

Longer term:

- Ben, ssh now depends on random 1.2+. Possibly that helps with the 
cryptographic weakness you mentioned ?

- maybe porting to hssh is the right move. I'm not sure; hssh was 
released two years later, but doesn't seem too active either, and would 
be less under our control (that can be good or bad). If I understand 
things, ssh relies on the C libssh2 library (despite the "pure haskell" 
description), while hssh + cryptonite is 100% haskell, which arguably 
could makes it more cryptographically suspect.

More information about the darcs-devel mailing list