[Haskell-cafe] Offer to mirror Hackage

Vincent Hanquez tab at snarc.org
Thu Dec 9 13:04:18 CET 2010


On Thu, Dec 09, 2010 at 10:45:39PM +1100, Ivan Lazar Miljenovic wrote:
> On 9 December 2010 20:55, Vincent Hanquez <tab at snarc.org> wrote:
> >
> > You might have misunderstood what I was talking about. I'm proposing signing
> > on the hackage server on reception of the package,
> > where it can be verified by cabal that the package hasn't been signed
> > properly.
> 
> By "cabal", are you referring to Cabal or cabal-install?  If the
> former, then I'm not sure how exactly it would do such verification
> since it doesn't have any notion of the internet as far as I'm aware;
> if the latter then it means absolutely nothing for those of us that do
> not use cabal-install for most packages.

I don't really know the difference between Cabal and cabal-install, but

Something is downloading the .tar.gz, and that thing can always download an extra
.tar.gz.sign file which contains a way to verify that's the .tar.gz is genuinely
the one that has been received by hackage.

For those not using the thing-that-download-archive to get their package from
hackage, they can build the same mechanism that download an extra file, and
check the signature. Or they can even choose not to bother, and just download
the package as they just did before.

Note that, I'm not actually inventing anything new here, this is a common way
to distribute software (linux distributions, many opensource softwares, etc).

-- 
Vincent



More information about the Haskell-Cafe mailing list