[Haskell-cafe] Ticking time bomb

Vincent Hanquez tab at snarc.org
Thu Jan 31 09:26:37 CET 2013

On 01/31/2013 06:27 AM, Ertugrul Söylemez wrote:
> In any case there is no valid excuse for the lack of crypto.  It's too
> easy to attack Hackage, so we need some crypto regardless of what we
> interpret it as.
> My proposal is:
>    1. Build the necessary machinery into Cabal to allow signing keys and
>       packages and verifying the signatures, ideally through GnuPG.
>       Cabal would benefit from that even without cabal-install and
>       Hackage.

Seems there's lots of suggestion of using gnupg, which is a perfectly 
valid answer if cabal was unix only, but i'm not sure it's a valid 
option considering windows. Sure you can install gnupg somehow, but 
sounds to me it's going the same problem as gtk2hs on windows.

One better way, would be to tap in the 2, work in progress, gnupg 
haskell replacement:


AFAIK, both packages are not yet handling anything related to WoT, but 
just do the signing/verification (which is same status as my ad-hoc 


More information about the Haskell-Cafe mailing list