Proposal: cabal-install: verify OpenPGP signatures

[Nikita Karetnikov]

Following up on the “cabal-install: Replacing HTTP with HTTPS” thread.
I think we can do better.  I want to make sure that people will notice
if someone compromises the packages on hackage.haskell.org.

Here’s a rough plan:

1. Patch ‘hackage-server’ to allow uploading of OpenPGP signatures.

2. Patch ‘cabal-install’ to use GPG for verification.  (GPG trust levels
   could be useful here.)  ‘cabal install’ should also support
   ‘--skip-verification’ or some such to avoid disaster during the
   adoption stage.

   In addition, ‘cabal update’ would fetch the list of fingerprints from
   Hackage and cache each revision.  A warning would be raised if a
   fignerprint cannot be found in the cache.

   If a maintainer wants to use a new key, it must be signed with the
   previously used one.  If a maintainer loses their private key, for
   instance, this should be resolved by the admins.  For example, an
   admin (admins?) could sign the new key.

   After a while, a web of trust would be formed.  The fingerprints of
   active maintainers would be well-known.

I’ve been thinking about this for quite a while and don’t see other ways
to achive the same level of trust while allowing arbitrary uploads.  The
proposal also doesn’t require much manual intervention.

What do you think?  I’m willing to work on this but want to make sure
that my time won’t be wasted.  Will you accept such a patch?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140430/bf7157bd/attachment.sig>