[Haskell-cafe] Ticking time bomb

Edward Z. Yang ezyang at MIT.EDU
Thu Jan 31 00:07:09 CET 2013

Excerpts from Joachim Breitner's message of Wed Jan 30 14:57:28 -0800 2013:
> I’m not against cryptographically signed packages on hackage. In fact, I
> would whole-heatedly appreciate it, as it would make my work as a
> package maintainer easier.
> I was taking the opportunity to point out an advantage of established
> package management systems, to shamelessly advertise my work there, as
> not everyone sees distro-packaged libraries as a useful thing.

Yes. In fact, I am a sysadmin for a large shared hosting environment, and
the fact that programming language libraries tend not to be distro-packaged
is an endless headache for us.  We would like it if everything were just
packaged properly!

On the other hand, working in these circumstances has made me realize
that there is a huge tension between the goals of package library
authors and distribution managers (a package library author is desires
ease of installation of their packages, keeping everyone up-to-date as
possible and tends to be selfish when it comes to the rest of the
ecosystem, whereas the distribution manager values stability, security,
and global consistency of the ecosystem.)  So there is a lot of work to
be done here.  Nevertheless, I believe we are in violent agreement that
cryptographically signed Hackage packages should happen as soon as


More information about the Haskell-Cafe mailing list