Hackage security alpha

Duncan Coutts duncan at well-typed.com
Wed Jul 8 13:08:23 UTC 2015


Hi folks,

We're doing an alpha release of the hackage security work today and we'd
like to invite you all to help test it.

In addition to the security improvements it includes automatic use of
mirrors (including the server distributing a list of available public
mirrors) and includes incremental downloads of the hackage index, so
cabal update should be a lot faster.

At this alpha stage we would like some but not too many users to try it
out, so when things do break we don't have it break for too many people
all at once. But subscribers to this list are just the kind of expert
users who we'd like to try it out and report issues. In particular we're
interested in any problems caused by crazy proxies and annoying things
of that ilk.

During the beta we'll make the whole thing a bit more user friendly to
get more people to try it out. So for the moment you have to grab things
from git branches etc. All the details are in this blog post:

http://www.well-typed.com/blog/2015/07/hackage-security-alpha/

As it says there, report issues in the github bug tracker.

Oh and I don't think we say it in the blog post but the idea is that for
any of the new library dependences for the security stuff, if any of
them are problematic we can just bundle them with cabal-install (we'll
probably just bundle them all). The design deliberately keeps these
dependencies to a minimum: SHA256 hashing, ed25519 signing/checking
provided by minimal bundled C code. For the alpha the cabal-install
integration just uses these as external dependencies.

-- 
Duncan Coutts, Haskell Consultant
Well-Typed LLP, http://www.well-typed.com/



More information about the cabal-devel mailing list