[Haskell-cafe] Ticking time bomb

Joachim Breitner mail at joachim-breitner.de
Thu Jan 31 10:28:49 CET 2013


Am Donnerstag, den 31.01.2013, 09:42 +0100 schrieb Ertugrul Söylemez:
> And that may even be more harmful, because an insecure system with a
> false sense of security is worse than an insecure system alone.
> Let's do it properly.

but don’t overengineer it either. Simply adding to hackage the
possibility to store a .asc file next to the tar.gz file that contains
the cryptographic signature would be a great start, and allow us to
develop a WoT model later on.

(I try to resist from wondering whether this could go into hackage1 or
only hackage2, and in the latter case, whether that means that we
actually have the time to overengineer the system.)

In fact, a lot would already be gained by a simple „warn if foo-2.0 is
signed with a different key than the version of foo already installed“
on cabal-install and people having a closer look at uploads from
different people. Not much infrastructure needed there.


Joachim "nomeata" Breitner
  mail at joachim-breitner.de  |  nomeata at debian.org  |  GPG: 0x4743206C
  xmpp: nomeata at joachim-breitner.de | http://www.joachim-breitner.de/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130131/8a55b919/attachment.pgp>

More information about the Haskell-Cafe mailing list