Proposal: cabal-install: verify OpenPGP signatures
Nikita Karetnikov
nikita at karetnikov.org
Tue Apr 29 23:15:17 UTC 2014
Following up on the “cabal-install: Replacing HTTP with HTTPS” thread.
I think we can do better. I want to make sure that people will notice
if someone compromises the packages on hackage.haskell.org.
Here’s a rough plan:
1. Patch ‘hackage-server’ to allow uploading of OpenPGP signatures.
2. Patch ‘cabal-install’ to use GPG for verification. (GPG trust levels
could be useful here.) ‘cabal install’ should also support
‘--skip-verification’ or some such to avoid disaster during the
adoption stage.
In addition, ‘cabal update’ would fetch the list of fingerprints from
Hackage and cache each revision. A warning would be raised if a
fignerprint cannot be found in the cache.
If a maintainer wants to use a new key, it must be signed with the
previously used one. If a maintainer loses their private key, for
instance, this should be resolved by the admins. For example, an
admin (admins?) could sign the new key.
After a while, a web of trust would be formed. The fingerprints of
active maintainers would be well-known.
I’ve been thinking about this for quite a while and don’t see other ways
to achive the same level of trust while allowing arbitrary uploads. The
proposal also doesn’t require much manual intervention.
What do you think? I’m willing to work on this but want to make sure
that my time won’t be wasted. Will you accept such a patch?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140430/bf7157bd/attachment.sig>
More information about the cabal-devel
mailing list