[Haskell-cafe] Ticking time bomb

Vincent Hanquez tab at snarc.org
Fri Feb 1 14:35:21 CET 2013


On Fri, Feb 01, 2013 at 01:07:33PM +0100, Christopher Done wrote:
> Hey dude, it looks like we made the same project yesterday:
> 
> http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/
> 
> Yours is nice as it doesn't depend on GPG. Although that could be a
> nice thing because GPG manages keys. Dunno.
> 
> Another diff is that mine puts the .sig inside the .tar.gz, yours puts
> it separate.

Nice to see a productive discussion on this. /me really need to read reddit more :)

Couple of details, no the signature is going inside the tarball too.  the
signature process happens during the sdisting after building the manifest.  My
reason for doing is, which i suspect similar to yours, is that I don't need to
modify hackage this way and the uploading stays the same. Also in my case,
cabal-signature is called by cabal, not by the user. I can't see this effort
working without forcing everyone to use it (transparently in the background)

For gpg, i don't know what's the right answer. One on hand it's solving all
the problems related to this already, but on the other portability issue.

I was thinking maybe one way to verify the key that i use for signing,
would be to tie it to a personal gpg key (by signing the key with a gpg key) to
benefit from all the facilities that gpg provides. It would provide a cheap way
to switch model later, without being tied to a gpg signing process.

-- 
Vincent



More information about the Haskell-Cafe mailing list