-
Notifications
You must be signed in to change notification settings - Fork 843
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Put hash/checksum in stack.yaml.lock to prevent manual updating #6590
Comments
@ysangkok, thanks for reporting. I've been looking at what Can we work though what alternative behaviour you are seeking with a simple example, say a simple one-package project called |
In particular:
|
Yes. After making such a demo project with Then, I modify
The Hackage hash is bad now, and the size too (I think that's what the But if I execute In my original version, acme-missiles was pinned with a git hash. This kind of corruption seems more likely, since people use these hashes to identify dependencies. Since acme-missiles isn't on git, I can't do that kind of corruption. But I think the corruption done in this message would also be fixed if the Stack had some kind of protection against manual editing. |
@ysangkok, in that example, Stack builds I think something similar would happen with an extra-dep that is a git repository at a specific commit. |
General summary/comments (optional)
We accidentally mangled our lock file when doing a global search/replace of a git hash.
The lock file ended up in a state where the URL didn't match the sha256, but it didn't result in any errors from stack.
Steps to reproduce
Mangle lock file.
Expected
I want stack to error next time it read the lock file, and tell me the lock file is corrupted.
Actual
No error
Stack version
Method of installation
Platform
Debian Bookworm
The text was updated successfully, but these errors were encountered: