[Haskell-cafe] Improvements to package hosting and security

[Mathieu Boespflug]

Define "superior"?

As argued in the proposal, the salient features are that by devolving
practically everything to Git+GPG, we end up with less code to maintain in
our tooling, less code to maintain in our infrastructure (namely
hackage-server), a more reliable service, and a smaller chance of buggering
up security related activities (such as signing and managing trust).

We're not introducing dependencies on dynamically linked system libraries
that makes tooling hard to distribute. We're not asking users to install
anything new that isn't already a staple of most developer desktops, and
not asking users, Hackage trustees and Hackage admins to manage new
identities with new key formats that aren't the existing ones they already
have (namely GnuPG). Further, users can still opt-out of signature
verification if they want to.

Compared to alternative approaches - there has been a proposal to get
incremental updates à la Git differently by growing (potentially
infinitely) the end of a tar file served by the server via HTTP. This means
grabbing the history for new package revisions cannot be opted out from
easily. With Git, you get this for free, since users can `git clone
--depth=1` and still be able to do a `git pull` later and verify
signatures. You further get the advantage of being able to directly mine
the history of changes, using standard tools, something that can't be done
directly on the tar file without more custom tooling (or post conversion to
Git).

On 28 April 2015 at 23:33, Bardur Arantsson <spam at scientician.net> wrote:

> On 28-04-2015 23:09, Mathieu Boespflug wrote:
> > [removing erroneous haskell-cafe at googlegroups.com from To list.]
>
> (I'm not the person you're responing to. From the mail-headers, I can't
> see the person(s) you're responding to, but so be it.)
>
> Do you have evidence that your approach is superior, and could you
> please cite it? [Or, alternatively provide negative evidence for
> $OTHER_APPROACH.])
>
> Regards,
>
> --
> You received this message because you are subscribed to the Google Groups
> "Commercial Haskell" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to commercialhaskell+unsubscribe at googlegroups.com.
> To post to this group, send email to commercialhaskell at googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/commercialhaskell/mhouaf%24it2%241%40ger.gmane.org
> .
> For more options, visit https://groups.google.com/d/optout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150429/a9500ed7/attachment.html>