[Haskell-cafe] Ticking time bomb
Alfredo Di Napoli
alfredo.dinapoli at gmail.com
Wed Feb 13 09:10:31 CET 2013
+1 for keeping this alive.
Apart from the initial hype, now this issue is slowly losing attention but
I think we should always keep the risk we are exposed to.
Being I will sound pessimistic, but we should learn from the "competitors"
On 12 February 2013 08:49, Bob Ippolito <bob at redivi.com> wrote:
> The Python and Ruby communities are actively working on improving the
> security of their packaging infrastructure. I haven't paid close attention
> to any of the efforts so far, but anyone working on cabal/hackage security
> should probably take a peek. I lurk on Python's catalog-sig list and here's
> the interesting bits I've noticed from the past few weeks:
> [Catalog-sig] [Draft] Package signing and verification process
> [Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
> Python PyPi Security Working Document:
> Rubygems Threat Model:
> TUF: The Update Framework
> On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done <chrisdone at gmail.com>wrote:
>> Hey dude, it looks like we made the same project yesterday:
>> Yours is nice as it doesn't depend on GPG. Although that could be a
>> nice thing because GPG manages keys. Dunno.
>> Another diff is that mine puts the .sig inside the .tar.gz, yours puts
>> it separate.
>> On 31 January 2013 09:11, Vincent Hanquez <tab at snarc.org> wrote:
>> > On 01/30/2013 07:27 PM, Edward Z. Yang wrote:
>> >> https://status.heroku.com/incidents/489
>> >> Unsigned Hackage packages are a ticking time bomb.
>> > I agree this is terrible, I've started working on this, but this is
>> quite a
>> > bit of work and other priorities always pop up.
>> > https://github.com/vincenthz/cabal
>> > https://github.com/vincenthz/cabal-signature
>> > My current implementation generate a manifest during sdist'ing in
>> cabal, and
>> > have cabal-signature called by cabal on the manifest to create a
>> > manifest.sign.
>> > The main issue i'm facing is how to create a Web of Trust for doing all
>> > public verification bits.
>> > --
>> > Vincent
>> > _______________________________________________
>> > Haskell-Cafe mailing list
>> > Haskell-Cafe at haskell.org
>> > http://www.haskell.org/mailman/listinfo/haskell-cafe
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haskell-Cafe