Backport TUF security bugfix to 3.6

[andreabedini]

cherry-picks dcfdc9c

closes: #9451

[andreabedini]

I had to restrict the bound of hackage-security to get this to work.

hackage-security-0.6.2.0 added a dependency on Cabal-syntax, which is incompatible with Cabal-3.6.

[hasufell]

I had to restrict the bound of hackage-security to get this to work.

hackage-security-0.6.2.0 added a dependency on Cabal-syntax, which is incompatible with Cabal-3.6.

It's not, you can use this patch:

From 9a04c42a76883f141bc4589a2d26b28c63cde10c Mon Sep 17 00:00:00 2001
From: Julian Ospald <[email protected]>
Date: Thu, 16 Nov 2023 21:00:26 +0800
Subject: [PATCH 1/5] Fix build with newer GHC

---
 cabal-install/src/Distribution/Client/Win32SelfUpgrade.hs | 2 +-
 cabal.project.release                                     | 3 +++
 cabal.project.validate                                    | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/cabal-install/src/Distribution/Client/Win32SelfUpgrade.hs b/cabal-install/src/Distribution/Client/Win32SelfUpgrade.hs
index 0d9a9effe..c220d9e92 100644
--- a/cabal-install/src/Distribution/Client/Win32SelfUpgrade.hs
+++ b/cabal-install/src/Distribution/Client/Win32SelfUpgrade.hs
@@ -140,7 +140,7 @@ deleteOldExeFile verbosity oldPID tmpPath = do
      ++ show oldPID ++ " at path " ++ tmpPath
 
   log $ "getting handle of parent process " ++ show oldPID
-  oldPHANDLE <- Win32.openProcess Win32.sYNCHORNIZE False (fromIntegral oldPID)
+  oldPHANDLE <- Win32.openProcess Win32.sYNCHRONIZE False (fromIntegral oldPID)
 
   log $ "synchronising with parent"
   event <- openEvent syncEventName
diff --git a/cabal.project.release b/cabal.project.release
index 4fda782ae..8a5f856a3 100644
--- a/cabal.project.release
+++ b/cabal.project.release
@@ -3,3 +3,6 @@ packages: cabal-install/
 tests: False
 benchmarks: False
 optimization: True
+constraints: Cabal-syntax < 3.7,
+             Win32 >= 2.8
+allow-newer: base
diff --git a/cabal.project.validate b/cabal.project.validate
index 25f29243d..33b28876f 100644
--- a/cabal.project.validate
+++ b/cabal.project.validate
@@ -17,6 +17,8 @@ tests: True
 -- avoiding extra dependencies
 constraints: rere -rere-cfg
 constraints: these -assoc
+constraints: Cabal-syntax < 3.7,
+             Win32 >= 2.8
 
 write-ghc-environment-files: never
 
-- 
2.41.0

[andreabedini]

@hasufell

It's not, you can use this patch:

Sorry you need to be more explicit with me. Do you mean you want to allow cabal-install-3.6 to build against a newer Cabal than 3.6? I am not opposed to that but I think it can be discussed separately.

I don't understand what you are suggesting, the patch above changes a call to Win32.sYNCHRONIZE, how is this related to hackage-security?

If I am not mistaken cabal-install-3.6.2.0 has been unbuildable since hackage-security-0.6.2.0 came out so that is an urgent concern (we should do a revision on hackage too).

[hasufell]

Sorry you need to be more explicit with me.

This fixes it:

constraints: Cabal-syntax < 3.7

Cabal-syntax-3.6 is a dummy package:

Version 3.6 (unlike the following versions) is a dummy package that prevents module name clases between Cabal and Cabal-syntax if used together with a Cabal flag as described below.

The Win32 thing was needed to fix builds on windows for me.

[andreabedini]

@hasufell that a project configuration setting, it is not part of the package metadata.

[hasufell]

@hasufell that a project configuration setting, it is not part of the package metadata.

You can put it in the package metadata.

[andreabedini]

I tried to get the CI to pass but I have given up :)

[ulysses4ever]

What's the plan for this? I'm not sure it's the best application of our scarce resources to patch the old releases.

[Kleidukos]

@andreabedini Let's leave 3.6 to be patched by downstream if they wish so, it would be better to focus on delivering 3.10.3.0

[andreabedini]

@andreabedini Let's leave 3.6 to be patched by downstream if they wish so, it would be better to focus on delivering 3.10.3.0

👍