Why is there bespoke JSON infra?

[Ericson2314]

Shouldn't we just delete that and use Aeson?

[Mikolaj]

I really don't know the packages enough to say. That's about the hackage-security Hackage package proper? I suppose the original authors would know, so let's ask them.

[adamgundry]

Does Aeson provide support for Canonical JSON? That's necessary for reliably hashing JSON values, which is crucial. I don't know the details of the history here, but it looks like the relevant bits were subsequently extracted as a separate package (https://github.com/well-typed/canonical-json) so perhaps hackage-security could be refactored to use that, if anyone cares enough.

[andreasabel]

References:

• https://github.com/haskell/hackage-security/blob/1cee235a97a9439a58953a83fcfdd4449fe7c7a3/hackage-security/src/Text/JSON/Canonical.hs
• https://hackage.haskell.org/package/canonical-json

aeson is very slow to compile and provides many features not needed here, so I'd advice against.

canonical-json is atm outdated and needs to be lifted to the latest Haskell ecosystem (bytestring-0.11). Whether it has any users, is hard to tell, at least it is not tracked in https://packdeps.haskellers.com/reverse/canonical-json.

Never change a running system. As long as there isn't any expected gain from change, I'd leave things as-is for now.

[Bodigrim]

FWIW aeson provides JSON canonicalization from Data.Aeson.RFC8785. But RFC8785 is likely to differ in details from a home-grown canonicalization used by hackage-security at the moment.