[Haskell-cafe] Ticking time bomb
Felipe Almeida Lessa
felipe.lessa at gmail.com
Wed Jan 30 23:31:51 CET 2013
IMHO Hackage and Cabal should support package signing even if they
aren't package managers.
On Wed, Jan 30, 2013 at 6:59 PM, Joachim Breitner <nomeata at debian.org> wrote:
> Hi,
>
> Am Mittwoch, den 30.01.2013, 11:27 -0800 schrieb Edward Z. Yang:
>> https://status.heroku.com/incidents/489
>>
>> Unsigned Hackage packages are a ticking time bomb.
>
> another reason why Cabal is no package manager¹.
>
> (Ok, I admit that I don’t review every line of diff between the Haskell
> packages I uploads. But thanks to http://hdiff.luite.com/ I at least
> glance over them most of the time – a hurdle that malicious code would
> have to take. And once a package has entered a distribution like Debian
> (which it only can with a valid cryptographic signatures), checksums and
> signatures are used in many places to (mostly) guarantee that the
> package reaches the user unmodified.)
>
> Greetings,
> Joachim
>
> ¹ http://ivanmiljenovic.wordpress.com/2010/03/15/repeat-after-me-cabal-is-not-a-package-manager/
>
> --
> Joachim "nomeata" Breitner
> Debian Developer
> nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
> JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
--
Felipe.
More information about the Haskell-Cafe
mailing list