[Haskell-cafe] Offer to mirror Hackage
wren ng thornton
wren at freegeek.org
Tue Dec 14 01:15:17 CET 2010
On 12/13/10 8:25 AM, Paul Sargent wrote:
> How about, as a cheep and cheerful method to get up running. If the premise
> is that the original server is trustworthy and the mirrors aren't, then:
>
> 1) Hash all packages on the original server.
> 2) Hash goes into a side car file (e.g.<packagename>.sha) that lives next
> to the package
I still contend that we shouldn't have to trust the central server
either. The hash can be created alongside the sdist on the maintainer's
computer, and then both are uploaded to central. Thus, the maintainer
can verify that the hash on central matches their own, which ensures that:
(a) the hash that central has is trustworthy
(b) no man-in-the-middle corrupted the sending of the hash to central
These concerns are separate from using the hash to confirm the
consistency of the sdist itself. Remember: metadata can be compromised
just as easily as data. And the fewer machines we have to trust, the
better. Moreover, this approach requires the same amount of
implementation work as getting central to make the hashes.
--
Live well,
~wren
More information about the Haskell-Cafe
mailing list