issues installing yesod

Question

I want to install yesod to learn a bit about web and playing a bit with Haskell in my spare time but when i do:

> cabal install yesod
Resolving dependencies...
cabal: cannot configure cprng-aes-0.2.2. It requires crypto-api >=0.8
For the dependency on crypto-api >=0.8 there are these packages:
crypto-api-0.8. However none of them are available.
crypto-api-0.8 was excluded because skein-0.1.0.1 requires crypto-api ==0.6.*
crypto-api-0.8 was excluded because crypto-api-0.6.4 was selected instead
crypto-api-0.8 was excluded because clientsession-0.7.3.1 requires crypto-api
>=0.6.4 && <0.7

but i think i have the right packages installed

cabal list cprng-aes skein crypto-api clientsession
* clientsession
    Synopsis: Securely store session data in a client-side cookie.
    Default available version: 0.7.3.1
    Installed versions: 0.7.3.1
    Homepage: http://github.com/snoyberg/clientsession/tree/master
    License:  BSD3

* cprng-aes
    Synopsis: Crypto Pseudo Random Number Generator using AES in counter mode.
    Default available version: 0.2.2
    Installed versions: 0.2.2
    Homepage: http://github.com/vincenthz/hs-cprng-aes
    License:  BSD3

* crypto-api
    Synopsis: A generic interface for cryptographic operations
    Default available version: 0.8
    Installed versions: 0.6.4, 0.8
    Homepage: http://trac.haskell.org/crypto-api/wiki
    License:  BSD3

* crypto-api-tests
    Synopsis: A test framework and KATs for cryptographic operations.
    Default available version: 0.1
    Installed versions: [ Not installed ]
    Homepage: http://trac.haskell.org/crypto-api/wiki
    License:  BSD3

* hack-middleware-clientsession
    Synopsis: Middleware for easily keeping session data in client cookies.
    Default available version: 0.0.1
    Installed versions: [ Not installed ]
    Homepage: http://github.com/snoyberg/hack-middleware-clientsession/tree/master
    License:  BSD3

* skein
    Synopsis: Skein, a family of cryptographic hash functions. Includes
              Skein-MAC as well.
    Default available version: 0.1.0.1
    Installed versions: 0.1.0.1
    License:  BSD3

i don't know much about cabal install but it seems that both crypto-api >=0.8 and <7 are required, which seems impossible.

Answer 1

Crypto-API maintainer here.

THE PROBLEM

The problem is the packages are mutually exclusive. The latest cprng-aes requires crypto-api version >= 0.8. The latest skein requires crypto-api 0.6.*. So what we want to have happen is the skein developer (whom I will e-mail) to update the package.

FOR NOW

Till then, you'll need to install older versions of the packages in question. Try something like:

cabal install yesod 'crypto-api == 0.6.4' 'cprng == 0.2.1'

I think that syntax is right. If not you can always do:

cabal install yesod crypto-api-0.6.4 cprng-0.2.1

HOW CAN THE COMMUNITY AVOID THIS

In the long term I hope cabal will get better and automatically finding compatible versions, as I did for the above. Short of such cabal improvements, which everyone mentions and nobody implements, it would be good of package maintainers to try and keep a consistent lower bound on their build-deps. If cprng-aes still accepted crypto-api >= 0.5 then I think this would have been installed by cabal. This is a bit much to ask of package maintainers, but they can do it using CPP and the {MAX,MIN}_VERSION macros provided by cabal.

EDIT: UPDATE Felipe has updated skein and uploaded to hackage. Michael has updated clientsession and, seeing as he is the Yesod maintainer and already involved in e-mail conversations, I'm sure he will upload it to hackage soon. Things should be fixed by the time you read this message, just run:

 cabal update ; cabal install yesod

On reflection, I see how much traffic major version bumps in crypto-api cause the rest of the community. I'm not sure how to handle the issue. I could have just observed that "no one will be affected if I make this change" and just break with PVP. OTOH, if I do break someones code when I fail to follow PVP then they have a legitimate reason to be upset. Any community comments?