Bump the lower bound on base?

[philderbeast]

Could we bump the lower bound on base?

hackage-security/hackage-security/hackage-security.cabal

Lines 114 to 115 in b306678

	-- We support ghc 7.4 (bundled with Cabal 1.14) and up
	build-depends: base >= 4.8 && < 4.20,

hackage-security/hackage-security/hackage-security.cabal

Lines 33 to 45 in b306678

	tested-with:
	GHC == 9.8.1
	GHC == 9.6.3
	GHC == 9.4.8
	GHC == 9.2.8
	GHC == 9.0.2
	GHC == 8.10.7
	GHC == 8.8.4
	GHC == 8.6.5
	GHC == 8.4.4
	GHC == 8.2.2
	GHC == 8.0.2
	GHC == 7.10.3

I came here to see if I could do something about the noisy -Wstar-is-type warnings from hackage-security when compiling cabal but saw that I couldn't do that without CPP conditionals given that -Wstar-is-type was introduced in ghc-8.6 and we have a lower bound on base of 4.8 that is ghc-7.10.1.

[philderbeast]

There's a fair bit of CPP in this project already.

$ grep -rw --include=\*.hs . -e '#if'
./example-client/src/Prelude.hs:#if !MIN_VERSION_base(4,8,0)
./example-client/src/Prelude.hs:#if MIN_VERSION_base(4,8,0)
./example-client/src/Prelude.hs:#if MIN_VERSION_base(4,6,0)
./hackage-repo-tool/src/Hackage/Security/RepoTool/Util/IO.hs:#if MIN_VERSION_directory(1,2,0)
./hackage-repo-tool/src/Hackage/Security/RepoTool/Util/IO.hs:#if MIN_VERSION_directory(1,2,0)
./hackage-repo-tool/src/Hackage/Security/RepoTool/Util/IO.hs:#if MIN_VERSION_base(4,8,0)
./hackage-repo-tool/src/Prelude.hs:#if !MIN_VERSION_base(4,8,0)
./hackage-repo-tool/src/Prelude.hs:#if MIN_VERSION_base(4,8,0)
./hackage-repo-tool/src/Prelude.hs:#if MIN_VERSION_base(4,6,0)
./hackage-repo-tool/src/Main.hs:#if !MIN_VERSION_base(4,8,0)
./hackage-security-http-client/src/Hackage/Security/Client/Repository/HttpLib/HttpClient.hs:#if MIN_VERSION_http_client(0,5,0)
./hackage-security/src/MyPrelude.hs:#if !MIN_VERSION_base(4,8,0)
./hackage-security/src/MyPrelude.hs:#if MIN_VERSION_base(4,8,0)
./hackage-security/src/MyPrelude.hs:#if MIN_VERSION_base(4,6,0)
./hackage-security/src/Text/JSON/Canonical.hs:#if !(MIN_VERSION_base(4,7,0))
./hackage-security/src/Text/JSON/Canonical.hs:#if MIN_VERSION_base(4,7,0)
./hackage-security/src/Text/JSON/Canonical.hs:#if MIN_VERSION_base(4,7,0)
./hackage-security/src/Hackage/Security/Key.hs:#if !MIN_VERSION_base(4,7,0)
./hackage-security/src/Hackage/Security/Key.hs:#if MIN_VERSION_ed25519(0,0,4)
./hackage-security/src/Hackage/Security/Key.hs:#if MIN_VERSION_ed25519(0,0,4)
./hackage-security/src/Hackage/Security/Key.hs:#if !MIN_VERSION_base(4,7,0)
./hackage-security/src/Hackage/Security/Trusted.hs:#if __GLASGOW_HASKELL__ >= 710
./hackage-security/src/Hackage/Security/Trusted/TCB.hs:#if __GLASGOW_HASKELL__ >= 710
./hackage-security/src/Hackage/Security/Trusted/TCB.hs:#if __GLASGOW_HASKELL__ >= 710
./hackage-security/src/Hackage/Security/Trusted/TCB.hs:#if MIN_VERSION_base(4,8,0)
./hackage-security/src/Hackage/Security/Client.hs:#if __GLASGOW_HASKELL__ >= 710
./hackage-security/src/Hackage/Security/Client.hs:#if __GLASGOW_HASKELL__ < 800
./hackage-security/src/Hackage/Security/Client.hs:#if __GLASGOW_HASKELL__ < 800
./hackage-security/src/Hackage/Security/Client.hs:#if MIN_VERSION_base(4,8,0)
./hackage-security/src/Hackage/Security/TUF/Patterns.hs:#if __GLASGOW_HASKELL__ >= 800
./hackage-security/src/Hackage/Security/TUF/Patterns.hs:#if __GLASGOW_HASKELL__ >= 800
./hackage-security/src/Hackage/Security/JSON.hs:#if MIN_VERSION_base(4,8,0)
./hackage-security/src/Hackage/Security/Client/Repository/Remote.hs:#if MIN_VERSION_base(4,8,0)
./hackage-security/src/Hackage/Security/Client/Repository.hs:#if MIN_VERSION_base(4,8,0)
./hackage-security/src/Hackage/Security/Util/IO.hs:#if MIN_VERSION_base(4,11,0)
./hackage-security/src/Hackage/Security/Util/IO.hs:#if MIN_VERSION_base(4,11,0)
./hackage-security/src/Hackage/Security/Util/Path.hs:#if MIN_VERSION_directory(1,2,0)
./hackage-security/src/Hackage/Security/Util/Path.hs:#if MIN_VERSION_directory(1,2,2)
./hackage-security/src/Hackage/Security/Util/Path.hs:#if MIN_VERSION_directory(1,2,0)
./hackage-security/src/Hackage/Security/Util/Checked.hs:#if __GLASGOW_HASKELL__ >= 800
./hackage-security/src/Hackage/Security/Util/Checked.hs:#if __GLASGOW_HASKELL__ >= 708
./hackage-security/src/Hackage/Security/Util/Checked.hs:#if __GLASGOW_HASKELL__ >= 708
./hackage-security/src/Hackage/Security/Util/Checked.hs:#if __GLASGOW_HASKELL__ >= 708
./hackage-security/src/Hackage/Security/Util/Checked.hs:#if MIN_VERSION_base(4, 7, 0)
./hackage-security/src/Hackage/Security/Util/Checked.hs:#if __GLASGOW_HASKELL__ >= 708
./hackage-security/src/Hackage/Security/Util/Some.hs:#if !MIN_VERSION_base(4,7,0)
./hackage-security/src/Hackage/Security/Util/Some.hs:#if MIN_VERSION_base(4,7,0)
./hackage-security/src/Hackage/Security/Util/Some.hs:#if MIN_VERSION_base(4,7,0)
./hackage-security/src/Hackage/Security/Util/JSON.hs:#if __GLASGOW_HASKELL__ < 710
./hackage-security/src/Hackage/Security/Util/JSON.hs:#if !MIN_VERSION_time(1,5,0)
./hackage-security/src/Hackage/Security/Util/JSON.hs:#if __GLASGOW_HASKELL__ >= 710
./hackage-security/src/Hackage/Security/Util/JSON.hs:#if __GLASGOW_HASKELL__ >= 710
./hackage-security/src/Hackage/Security/Util/JSON.hs:#if !MIN_VERSION_time(1,5,0)
./hackage-security/tests/TestSuite.hs:#if MIN_VERSION_Cabal(2,0,0)
./hackage-security/tests/TestSuite.hs:#if !MIN_VERSION_Cabal(2,0,0)
./hackage-security/tests/TestSuite/JSON.hs:#if MIN_VERSION_aeson(2,0,0)
./hackage-security/tests/TestSuite/JSON.hs:#if MIN_VERSION_aeson(2,0,0)
./hackage-root-tool/Main.hs:#if !MIN_VERSION_base(4,8,0)
./hackage-security-HTTP/src/Hackage/Security/Client/Repository/HttpLib/HTTP.hs:#if MIN_VERSION_base(4,8,0)

[Mikolaj]

Yes, I think it's a good idea to get base bounds to match Cabal-the-library's, given that cabal's bounds are already quite generous and anything that uses hackage-security most probably uses Cabal as well. I hope GHC versions in CI already do match (if not, we can narrow them further, I think).

[andreasabel]

After enforcing GHC >= 8 in

• Drop support for GHC 7 and ancient versions of directory and time #304

there is much less #if.

I routinely drop GHC 7 now in all my projects, that's a no-brainer.
Dropping GHC < 8.6 requires probably a bit more care, as it is not dead-clear that the Haskell community is abandoning these GHCs already.
I seem like pantry, one of our users, still builds with GHC 8.2 (base-4.10).

[andreasabel]

I seem like pantry, one of our users, still builds with GHC 8.2 (base-4.10).

Actually, only on paper. In fact, it has no build plans for GHC < 8.8:

• Bump lower bound of base to >= 4.13 commercialhaskell/pantry#122

The only other user is Cabal, so going to GHC 8.6 seems fine here after all.

[Mikolaj]

The oldest GHC that cabal CI builds cabal with is 8.4 from what I see.

[philderbeast]

@Mikolaj for testing this against cabal, would you expect that I'd take cabal/.github/workflows/validate.yml, and manually run the steps locally?

To pick up my changes to hackage-security for the version bump for this test, I plan to add a source-repository-package but wouldn't commit this.

[Mikolaj]

@philderbeast: I'd imagine just building all and the running the cabal-testsuite (with the newly built binary in --with-cabal!) should be plenty, as described here: https://github.com/haskell/cabal/blob/master/cabal-testsuite/README.md. Or, to test some more, you may want to run the validate.sh script.

An alternative is to open a throw-away PR in cabal repo (then close it and keep it as documentation) and tweak it so that CI does what you want. And here's yet another tool that may be helpful: haskell/cabal#9561

[Mikolaj]

BTW, would you also recommend a revision of the bound on Hackage? Or just wait for a new release (@andreasabel can predict better than myself on what timescale the new release is likely to emerge).

[andreasabel]

If I am not mistaken, master is releasable, so we can ship hackage-security/v0.6.2.5 at any time.

[Mikolaj]

Yes, please do, that will make @ffaf1's life easier.

[andreasabel]

Ok! I'll open a PR for the release.