[Haskell-cafe] Ticking time bomb

Ertugrul Söylemez es at ertes.de
Thu Jan 31 09:38:11 CET 2013


Vincent Hanquez <tab at snarc.org> wrote:

> I agree this is terrible, I've started working on this, but this is
> quite a bit of work and other priorities always pop up.
>
> https://github.com/vincenthz/cabal
> https://github.com/vincenthz/cabal-signature
>
> My current implementation generate a manifest during sdist'ing in
> cabal, and have cabal-signature called by cabal on the manifest to
> create a manifest.sign.
>
> The main issue i'm facing is how to create a Web of Trust for doing
> all the public verification bits.

You don't need it yet.  See my other post.  Once the basic
infrastructure for signatures is established, you can allow the user to
have a set of trusted keys.  The idea is that users can ask for keys
and/or import keys from key servers.  In the worst case they accept keys
when installing a package.  Once you have such a trust database you can
allow users to select, whether a key is to be trusted for signing other
keys.  Then you have basically everything to establish both hierarchial
trust relationships (like CAs) and webs of trust.


Greets,
Ertugrul

-- 
Not to be or to be and (not to be or to be and (not to be or to be and
(not to be or to be and ... that is the list monad.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130131/f2bb8487/attachment.pgp>


More information about the Haskell-Cafe mailing list