[Haskell-cafe] hackage is down.

Jochem Berndsen jochem at functor.nl
Mon Nov 2 06:37:54 EST 2009


??????? ?????? wrote:
> 
>> No no no!  Why not download the normal (signed) cabal list from the
>> DHT (and optionally directly from hackage.haskell.org)?  These are all
>> the packages that would appear on the website.  Why serve any other
>> content?  All nodes in the DHT may check and make sure the file (or
>> fragment) being served is properly signed.
>>
>> Any desire for popularity or tagging capability should be separate.
>>   
> Because single single hackage private key can be bruteforsed or stolen
> far easier than lots and lots keys of random people.

You only need to compromise one well-trusted key to compromise the system.

Cheers, Jochem

-- 
Jochem Berndsen | jochem at functor.nl | jochem@????.com


More information about the Haskell-Cafe mailing list