[Haskell-cafe] Offer to mirror Hackage

Darrin Chandler dwchandler at stilyagin.com
Wed Dec 8 16:17:04 CET 2010


On Wed, Dec 08, 2010 at 11:41:31AM +0100, Ketil Malde wrote:
> Vincent Hanquez <tab at snarc.org> writes:
> 
> > You have to start somewhere with security.
> 
> Yes.  And you should start with assessing how much cost and
> inconvenience you are willing to suffer for the improvement in
> security you gain.  In this case, my assertion is that the marginal
> worsening of security by having a mirror of hackage even without signing
> of packages etc., is less than the marginal improvement in usability. 
> 
> I'm a bit surprised to find that there seems to be a lot of opposition
> to this view, but perhaps the existing structure is more secure than I
> thought?  Or the benefit of a mirror is exaggerated - I can see how
> it would be annoying to have hackage down, but it hasn't happened to my,
> so perhaps those complaining about it just were very unlucky.

Having one glaring security problem is not a good reason to introduce
another one. It just makes more to fix.

As for mirroring, I'm all in favor of any random user doing a mirror.
The only place I see a problem is making those "official" mirrors. If
you were to mirror and announce that you had one then I can trust you or
not. There are some people I would trust to have valid mirrors.

Darrin



More information about the Haskell-Cafe mailing list