Proposal: cabal-install: verify OpenPGP signatures

Nikita Karetnikov nikita at karetnikov.org
Fri Jun 27 14:57:56 UTC 2014


I’ve just pushed a bit more code [1].  Now it’s possible to upload an
ASCII-armored OpenPGP signature, which is optional, while uploading a
package or a package candidate.  If a signature is present, the download
link will be shown in the “Downloads” list.

Questions:

1. ‘backup’ doesn’t work yet.  Should I use symlinks and a shared
   directory (see ‘Distribution/Server/Framework/BackupDump.hs’)?

2. Is there a need to provide ‘SafeCopy’ instances for the types that
   have been changed?  If so, then which ones should be instantiated?

Also, I made a mistake in 328c38a.  Public keys must have their own
page(s) since ‘name-contact’ requires authorization.  (I’ll fix it).

Any feedback is appreciated.  Note that a development version of
hOpenPGP is required for now (see the comment in the cabal file).

[1] https://gitorious.org/hackage-server/hackage-server/commits/openpgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140627/1ceba69f/attachment.sig>


More information about the cabal-devel mailing list