[Haskell-cafe] Ticking time bomb
Alfredo Di Napoli
alfredo.dinapoli at gmail.com
Wed Feb 13 09:10:31 CET 2013
+1 for keeping this alive.
Apart from the initial hype, now this issue is slowly losing attention but
I think we should always keep the risk we are exposed to.
Being I will sound pessimistic, but we should learn from the "competitors"
mistakes :)
Cheers,
A.
On 12 February 2013 08:49, Bob Ippolito <bob at redivi.com> wrote:
> The Python and Ruby communities are actively working on improving the
> security of their packaging infrastructure. I haven't paid close attention
> to any of the efforts so far, but anyone working on cabal/hackage security
> should probably take a peek. I lurk on Python's catalog-sig list and here's
> the interesting bits I've noticed from the past few weeks:
>
> [Catalog-sig] [Draft] Package signing and verification process
> http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html
>
> [Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
> http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html
>
> Python PyPi Security Working Document:
>
> https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CSZYA/edit
>
> Rubygems Threat Model:
> http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html
>
> https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb_SA/edit
>
> TUF: The Update Framework
> https://www.updateframework.com/
>
>
>
> On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done <chrisdone at gmail.com>wrote:
>
>> Hey dude, it looks like we made the same project yesterday:
>>
>>
>> http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/
>>
>> Yours is nice as it doesn't depend on GPG. Although that could be a
>> nice thing because GPG manages keys. Dunno.
>>
>> Another diff is that mine puts the .sig inside the .tar.gz, yours puts
>> it separate.
>>
>> =)
>>
>> On 31 January 2013 09:11, Vincent Hanquez <tab at snarc.org> wrote:
>> > On 01/30/2013 07:27 PM, Edward Z. Yang wrote:
>> >>
>> >> https://status.heroku.com/incidents/489
>> >>
>> >> Unsigned Hackage packages are a ticking time bomb.
>> >>
>> > I agree this is terrible, I've started working on this, but this is
>> quite a
>> > bit of work and other priorities always pop up.
>> >
>> > https://github.com/vincenthz/cabal
>> > https://github.com/vincenthz/cabal-signature
>> >
>> > My current implementation generate a manifest during sdist'ing in
>> cabal, and
>> > have cabal-signature called by cabal on the manifest to create a
>> > manifest.sign.
>> >
>> > The main issue i'm facing is how to create a Web of Trust for doing all
>> the
>> > public verification bits.
>> >
>> > --
>> > Vincent
>> >
>> >
>> > _______________________________________________
>> > Haskell-Cafe mailing list
>> > Haskell-Cafe at haskell.org
>> > http://www.haskell.org/mailman/listinfo/haskell-cafe
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>>
>
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130213/80e80267/attachment.htm>
More information about the Haskell-Cafe
mailing list