(no subject)

Fri Sep 5 12:56:28 EDT 2008

Hi Neil,

>I was reading your instructions on the GHC wiki page,
>http://hackage.haskell.org/trac/ghc/wiki/Building/Windows, and they are
>wonderful - exactly what I wanted. However, they don't work. When
>downloading Cygwin you are told to add haskell.org/ghc/cygwin as a path
>so it can pick up the setup.ini file. However, in the latest version of
>Cygwin it obvious wants signatures for all the .ini files:
>
>---------------------------
>Cygwin Setup
>---------------------------
>Unable to get http://www.haskell.org/ghc/cygwin/setup.ini.sig from
><http://www.haskell.org/ghc/cygwin>
>---------------------------
>OK   
>---------------------------
>
>Could someone please add the appropriate signature file?

Grr, not just the Haskell Cabal keeps marching on. Apparently, 
that is a change in last month's setup.exe:

    Updated: Setup.exe updated to version 2.573.2.3
    http://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html

If I understand the implications correctly, one would need a
three point change to adapt properly:

- sign the setup.ini file with a key, in place
- put up a public key to check against, somewhere else
- point setup.exe to the location of the public key

Given that all we want are the dependencies (the package
is empty), this is starting to look ridiculous (one has to put in
more administrative information than one saves from not having
to specify the dependencies by hand..).

Meanwhile, there is apparently a command-line option to bypass 
the check, when using setup.exe on this repository:

    -X --no-verify                         Don't verify setup.ini signatures

You can easily check the package contents yourself before/after
downloading (because it is empty, only the setup.ini text matters;-).

Of course, I wouldn't recommend using that switch while you're 
also sourcing from another repository (the verification has been
added for a reason), so one would have to recommend running 
setup.exe twice, once with verification for the main stuff, once 
without for ghc-depends? 

But setup.exe will presumably want to run the check on both
downloading and installing, and since the dependencies ought to
be installed with verification, it isn't quite clear to me whether there
is a successful sequence of calling setup.exe, unless ghc-depends
is signed and an additional key is provided..

GHC HQ: unless you want to sign that package, and provide
a key to check against, I don't know what to do about this.

Please remember to update the log on the wiki page when you 
succeed - the value of this log comes from being applied from
scratch (when just updating, it is easy to miss something).

Thanks,
Claus