Robert Hensing

When Nix 3.0 is released we should recommend to choose between default.nix with `{ inNixShell ? false }: ..... ` (https://github.com/NixOS/nix/pull/3168) or flakes.

> IMO it should not account for ghc ever. This is not just an opinion. `cabal sdist` is used for uploading to hackage, which means that the sdists must include...

> Hmm sdist is not used to upload to hackage diretly My release scripts do `call sdist` before uploading. IIRC `cabal upload` fails if you don't call `cabal sdist` first....

Another 'requirement': #71 I hope we can make it extensible by separating concerns instead of introducing hooks, overriding flags etc. Maybe we can delegate *all* XSRF logic to a record...

@mebassett if the JWT value is not sufficiently unique, its hash can be guessed by the attacker. Another downside is that the token can only be reset when the JWT...

@3noch It depends on which Double-Submit. It's probably fine to reset it only on login/logout. I've finally found a [reasonably compelling source](https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request) to confirm this. If you have an XSS...

[This branch](https://github.com/roberth/servant-auth/tree/multi-submit-token) seems to do the trick. `acceptLogin` still sets the token. Servant-auth does not have a concept of log out, so that one is for the user to implement.

@domenkozar Good point! Looks like a misread it as hashing the unsigned JWT contents. Of course including the signature should make it impossible to guess.

Discussion here, possibly a bit different angle. https://discourse.elm-lang.org/t/why-is-html-a-single-dom-node/3966

We also experience this with ghcide-nix. I've tried it with haskell.nix master, but the ghc isn't right. I've tried both with and without reinstallable libghc. It does build without ghci...