[Haskell-cafe] Ticking time bomb

Vincent Hanquez tab at snarc.org
Thu Jan 31 11:48:34 CET 2013 

On 01/31/2013 08:54 AM, Alexander Kjeldaas wrote:
> On Thu, Jan 31, 2013 at 9:26 AM, Vincent Hanquez <tab at snarc.org> wrote:
>
>> On 01/31/2013 06:27 AM, Ertugrul Söylemez wrote:
>>
>>> In any case there is no valid excuse for the lack of crypto.  It's too
>>> easy to attack Hackage, so we need some crypto regardless of what we
>>> interpret it as.
>>>
>>> My proposal is:
>>>
>>>     1. Build the necessary machinery into Cabal to allow signing keys and
>>>        packages and verifying the signatures, ideally through GnuPG.
>>>        Cabal would benefit from that even without cabal-install and
>>>        Hackage.
>>>
>> Seems there's lots of suggestion of using gnupg, which is a perfectly
>> valid answer if cabal was unix only, but i'm not sure it's a valid option
>> considering windows. Sure you can install gnupg somehow, but sounds to me
>> it's going the same problem as gtk2hs on windows.
>>
>> One better way, would be to tap in the 2, work in progress, gnupg haskell
>> replacement:
>>
>> http://hackage.haskell.org/**package/openpgp<http://hackage.haskell.org/package/openpgp>
>> http://hackage.haskell.org/**package/hOpenPGP<http://hackage.haskell.org/package/hOpenPGP>
>>
>> AFAIK, both packages are not yet handling anything related to WoT, but
>> just do the signing/verification (which is same status as my ad-hoc
>> experiment)
>>
>>
> In this case I think this is the wrong approach.  There must be at least
> one way to work within a trust model that is not fragile.  Whether this is
> fully supported on all platforms is actually not very important.
>
> I have pointed out why simply signing packages is fragile and how git is
> better suited for this task.  We are not going to reimplement all the good
> infrastructure that already exists (gpg, git), so making that a requirement
> is not a good idea IMO.
>
> Basic verification of signatures should work on Windows, I agree.  But the
> underlying WoT should be a little bit more sophisticated.  This means it
> has to be based on standard tools, or it will never happen.
>
I think you misunderstood me.

Having a fully working pgp package, means you have full control of the 
pgp stack, you don't rely on hard-to-get out tools, and it can be 
integrated with cabal directly for a full WoT experience.

Also git doesn't solve the hackage problem, there's not necessarily a 
one-to-one mapping between packages and their repositories.

-- 
Vincent

More information about the Haskell-Cafe mailing list