Label vincenthz packages as deprecated on Hackage

[Kleidukos]

• How and when was the maintainer for the package requiring action contacted?
  The maintainer has decided to cease all activities in the Haskell ecosystem, and for some select packages, forks have been set in place. The TLS libraries have been handed over to a new maintainer, but most things have been abandoned with no intent to hand over maintainership.

• If available, a link to the filed issue in the upstream issue tracker
  These repositories have been archived, and as such it is not possible to interact on the issue tracker

• How critical is this?
  For cryptography package it is primordial to drive people away from clearly deprecated packages.
  Some other names like git, connection, packer or pem could be reused for actually maintained libraries.

(non-exhaustive) List of packages

• foundation
• basement
• memory
• cryptonite in favour of crypton
• cryptohash-cryptoapi
• gauge
• git
• language-java
• connection
• hit
• hourglass
• professor
• asn1
• socks
• libgit
• cabal-db
• securemem
• packer
• siphash
• unix-memory
• pem
• crypto-pubkey-types
• fileformat
• cstruct
• byteable

[phadej]

e.g. tls depends on asn1-types which depends on hourglass. tls also depends on memory directly. crypton depends on memory and basement.

I feel it's better to do nothing for most of these packages.

The deprecation cryptonite in favour of crypton makes sense. In particular there is the superseding package. But for something like asn1-* family of packages there simply aren't alternatives, AFAIK.

---

TL;DR, they are not deprecated, they are abandoned. That is not the same.

[Kleidukos]

Understandable

[andreasabel]

basement and foundation have been recently refreshed on Hackage (June 2023) and have @snoyberg listed as (Hackage) maintainer, so they should be good for a while.

[Bodigrim]

I suggest we mark:

• cryptonite deprecated in favor of crypton, cryptohash-md5, cryptohash-sha1, cryptohash-sha256, cryptohash-sha512 (plenty of cryptonite clients use it just for hashes),
• gauge deprecated in favor of tasty-bench and criterion.

I'm not aware of any easy replacement for memory, and the rest of Vincent's legacy is not that widely used.

[ysangkok]

Would it be possible for trustees to swap out dependencies on connection for crypton-connection? Or is that not permitted?

In particular, I am thinking of:

• Replace defunct connection library with crypton-connection jhickner/smtp-mail#41

[phadej]

Would it be possible for trustees to swap out dependencies

No, revisions cannot change the dependencies; only their version ranges.

[Bodigrim]

For the reference, gauge is broken on aarch64 with

cbits/cycles.c:55:2: error:
     error: Unsupported OS/architecture/compiler!
   |
55 | #error Unsupported OS/architecture/compiler!
   |  ^
#error Unsupported OS/architecture/compiler!

and on any arch with GHC 9.10 because of vendored-in math-functions:

math-functions/Numeric/Sum.hs:138:19: error: [GHC-87543]
    Ambiguous occurrence ‘foldl'’.
    It could refer to
       either ‘Prelude.foldl'’,
              imported from ‘Prelude’ at math-functions/Numeric/Sum.hs:25:8-18
              (and originally defined in ‘ghc-internal-9.1001.0:GHC.Internal.Data.Foldable’),
           or ‘Data.Vector.Generic.foldl'’,
              imported from ‘Data.Vector.Generic’ at math-functions/Numeric/Sum.hs:35:41-46.
    |
138 | sumVector f = f . foldl' add zero
    |

And cryptonite has several unmitigated issues such as kazu-yamamoto/crypton#22 and haskell-crypto/cryptonite#374 (aka kazu-yamamoto/crypton#1).