Added a comment

1 files changed, 11 insertions, 0 deletions

diff --git a/doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment b/doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment
new file mode 100644
index 00000000..229ff1e0
--- /dev/null
+++ b/doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="gueux"
+ subject="comment 3"
+ date="2015-09-10T09:30:57Z"
+ content="""
+The host has 128Mo of RAM :-). All dependencies should be available to apt-get, though... as it runs debian jessie. I used propellor on several other hosts running jessie also, and (it seems that) they didn't download the package list.
+
+Downloading anything from hackage is problematic because cabal uses insecure http (potential MITM), and a new version of a dependency may introduce security holes.
+
+As side note, stack may be an alternative to cabal in the case where apt can't find all the dependencies: it downloads everything securely, and stackage allows to deal with dependencies issues: the build may probably fail if new incompatible versions of propellor dependencies are released to hackage. Or maybe using strict versioning would be a solution there. Or maybe building propellor (at least for host with the same architecture) before sending it to the host?
+"""]]