Is `hackage-security-0.6.2` a PVP violation?

[andreasabel]

I got a build error in hackage-server which had no explicit dep on Cabal-syntax, but had Cabal ^>= 3.6.3.0 and hackage-security ^>= 0.6:

Couldn't match type ‘PackageIdentifier’
                     with ‘Cabal-syntax-3.8.1.0:Distribution.Types.PackageId.PackageIdentifier’
      Expected: Cabal-syntax-3.8.1.0:Distribution.Types.PackageId.PackageIdentifier
        Actual: PackageId
      NB: ‘Cabal-syntax-3.8.1.0:Distribution.Types.PackageId.PackageIdentifier’
            is defined in ‘Distribution.Types.PackageId’
                in package ‘Cabal-syntax-3.8.1.0’
          ‘PackageIdentifier’
            is defined in ‘Distribution.Types.PackageId’
                in package ‘Cabal-3.6.3.0’

This shouldn't happen, I suppose?
So, is hackage-security-0.6.2 a PVP violation, and should it be released as 0.7 instead?

See:

• Build failure of master due to hackage-security-0.6.2 hackage-server#1130

[Mikolaj]

I think this is just haskell/cabal#8370, which is potentially the biggest regression in cabal 3.8.1.0; a ticking bomb. Relaxing bounds in 0.6.2 just made cabal 3.8.1.0 available, which exposed this cabal 3.8.1.0 bug.

[andreasabel]

Bumping hackage-security to 0.7 wouldn't fix the problem, I suppose.