hackage-security icon indicating copy to clipboard operation
hackage-security copied to clipboard

Published 20 hours ago verified publisher icon haskell

Why is there bespoke JSON infra?

Open Ericson2314 opened this issue 3 years ago • 3 comments

Shouldn't we just delete that and use Aeson?

Ericson2314 avatar May 31 '22 06:05 Ericson2314

I really don't know the packages enough to say. That's about the hackage-security Hackage package proper? I suppose the original authors would know, so let's ask them.

Mikolaj avatar May 31 '22 19:05 Mikolaj

Does Aeson provide support for Canonical JSON? That's necessary for reliably hashing JSON values, which is crucial. I don't know the details of the history here, but it looks like the relevant bits were subsequently extracted as a separate package (https://github.com/well-typed/canonical-json) so perhaps hackage-security could be refactored to use that, if anyone cares enough.

adamgundry avatar Jul 19 '22 19:07 adamgundry

References:

  • https://github.com/haskell/hackage-security/blob/1cee235a97a9439a58953a83fcfdd4449fe7c7a3/hackage-security/src/Text/JSON/Canonical.hs
  • https://hackage.haskell.org/package/canonical-json

aeson is very slow to compile and provides many features not needed here, so I'd advice against.

canonical-json is atm outdated and needs to be lifted to the latest Haskell ecosystem (bytestring-0.11). Whether it has any users, is hard to tell, at least it is not tracked in https://packdeps.haskellers.com/reverse/canonical-json.

Never change a running system. As long as there isn't any expected gain from change, I'd leave things as-is for now.

andreasabel avatar Jul 21 '22 08:07 andreasabel