[Haskell-cafe] Ticking time bomb
tab at snarc.org
Thu Jan 31 11:48:34 CET 2013
On 01/31/2013 08:54 AM, Alexander Kjeldaas wrote:
> On Thu, Jan 31, 2013 at 9:26 AM, Vincent Hanquez <tab at snarc.org> wrote:
>> On 01/31/2013 06:27 AM, Ertugrul Söylemez wrote:
>>> In any case there is no valid excuse for the lack of crypto. It's too
>>> easy to attack Hackage, so we need some crypto regardless of what we
>>> interpret it as.
>>> My proposal is:
>>> 1. Build the necessary machinery into Cabal to allow signing keys and
>>> packages and verifying the signatures, ideally through GnuPG.
>>> Cabal would benefit from that even without cabal-install and
>> Seems there's lots of suggestion of using gnupg, which is a perfectly
>> valid answer if cabal was unix only, but i'm not sure it's a valid option
>> considering windows. Sure you can install gnupg somehow, but sounds to me
>> it's going the same problem as gtk2hs on windows.
>> One better way, would be to tap in the 2, work in progress, gnupg haskell
>> AFAIK, both packages are not yet handling anything related to WoT, but
>> just do the signing/verification (which is same status as my ad-hoc
> In this case I think this is the wrong approach. There must be at least
> one way to work within a trust model that is not fragile. Whether this is
> fully supported on all platforms is actually not very important.
> I have pointed out why simply signing packages is fragile and how git is
> better suited for this task. We are not going to reimplement all the good
> infrastructure that already exists (gpg, git), so making that a requirement
> is not a good idea IMO.
> Basic verification of signatures should work on Windows, I agree. But the
> underlying WoT should be a little bit more sophisticated. This means it
> has to be based on standard tools, or it will never happen.
I think you misunderstood me.
Having a fully working pgp package, means you have full control of the
pgp stack, you don't rely on hard-to-get out tools, and it can be
integrated with cabal directly for a full WoT experience.
Also git doesn't solve the hackage problem, there's not necessarily a
one-to-one mapping between packages and their repositories.
More information about the Haskell-Cafe