For the purpose of SBOM and dependency analysis I don't think I feel comfortable with merely using a pinned index-state, as I started to do in #9820. But how about a freeze file?
There are ways to have a freeze file that are ergonomic:
- Using a freeze file against a specific cabal.project file will give the freeze file a specific name:
❯ cabal freeze --project-file cabal.project.release
Warning: this is a debug build of cabal-install with assertions enabled.
Resolving dependencies...
Wrote freeze file:
Wrote freeze file: /home/hecate/Contrib/cabal/cabal.project.release.freeze
- Using
cabal outdated works with a specific cabal project file too:
❯ cabal outdated -v3 --project-file cabal.project.release --v2-freeze-file
[…]
Reading the list of dependencies from the new-style freeze file
/home/hecate/Contrib/cabal/cabal.project.release.freeze
Outdated dependencies:
base ==4.18.2.0 (latest: 4.19.1.0)
[…]
- The freeze file can be altered to work across several versions of the compiler by removing some select lines:
active-repositories:
any.base
any.deepseq
any.ghc-bignum
any.ghc-boot-th
any.ghc-prim
any.integer-gmp
any.rts
any.template-haskell
index-state:
(note: Although perhaps it is interesting to us to fix the version of the compiler for the release workflow somewhere else than in .gitlab-ci.yml).
This removal can be a simple sed script in a shell wrapper.
For the purpose of SBOM and dependency analysis I don't think I feel comfortable with merely using a pinned index-state, as I started to do in #9820. But how about a freeze file?
There are ways to have a freeze file that are ergonomic:
cabal outdatedworks with a specific cabal project file too:(note: Although perhaps it is interesting to us to fix the version of the compiler for the release workflow somewhere else than in
.gitlab-ci.yml).This removal can be a simple sed script in a shell wrapper.