[Haskell-cafe] Offer to mirror Hackage

wren ng thornton wren at freegeek.org
Tue Dec 14 01:15:17 CET 2010

On 12/13/10 8:25 AM, Paul Sargent wrote:
> How about, as a cheep and cheerful method to get up running. If the premise
> is that the original server is trustworthy and the mirrors aren't, then:
> 1) Hash all packages on the original server.
> 2) Hash goes into a side car file (e.g.<packagename>.sha) that lives next
> to the package

I still contend that we shouldn't have to trust the central server 
either. The hash can be created alongside the sdist on the maintainer's 
computer, and then both are uploaded to central. Thus, the maintainer 
can verify that the hash on central matches their own, which ensures that:

(a) the hash that central has is trustworthy
(b) no man-in-the-middle corrupted the sending of the hash to central

These concerns are separate from using the hash to confirm the 
consistency of the sdist itself. Remember: metadata can be compromised 
just as easily as data. And the fewer machines we have to trust, the 
better. Moreover, this approach requires the same amount of 
implementation work as getting central to make the hashes.

Live well,

More information about the Haskell-Cafe mailing list