[Haskell-cafe] Ticking time bomb
Vincent Hanquez
tab at snarc.org
Thu Jan 31 09:26:37 CET 2013
On 01/31/2013 06:27 AM, Ertugrul Söylemez wrote:
> In any case there is no valid excuse for the lack of crypto. It's too
> easy to attack Hackage, so we need some crypto regardless of what we
> interpret it as.
>
> My proposal is:
>
> 1. Build the necessary machinery into Cabal to allow signing keys and
> packages and verifying the signatures, ideally through GnuPG.
> Cabal would benefit from that even without cabal-install and
> Hackage.
Seems there's lots of suggestion of using gnupg, which is a perfectly
valid answer if cabal was unix only, but i'm not sure it's a valid
option considering windows. Sure you can install gnupg somehow, but
sounds to me it's going the same problem as gtk2hs on windows.
One better way, would be to tap in the 2, work in progress, gnupg
haskell replacement:
http://hackage.haskell.org/package/openpgp
http://hackage.haskell.org/package/hOpenPGP
AFAIK, both packages are not yet handling anything related to WoT, but
just do the signing/verification (which is same status as my ad-hoc
experiment)
--
Vincent
More information about the Haskell-Cafe
mailing list