[Haskell-cafe] Ticking time bomb

Ertugrul Söylemez es at ertes.de
Thu Jan 31 11:51:06 CET 2013

Vincent Hanquez <tab at snarc.org> wrote:

> > That was exactly my suggestion actually.  It requires the ability to
> > make and check signatures.  The making can be done with external
> > tools like GnuPG, but the checking has to be done by cabal-install.
> > To detect changed keys there also needs to be a trust database,
> > which can be a simple directory in ~/.cabal/ where files are named
> > after the fingerprint of the key it contains.
> >
> > The most important part is a sensible user interface.  The whole
> > process should be invisible to the user, until there is a signature
> > error.  The first installation of a package will actually generate a
> > handful of signature errors, because the keys are not known yet.
> >
> > This shouldn't be too hard to implement and requires only a small
> > change to Hackage and cabal-install's upload command to begin.
> That's not a proper solution, and definitively in the warm fuzzy
> feeling department.
> What if you install a package for the first time and this package has
> just been re-uploaded maliciously with a different key and a payload ?
> What if you're relying on hackage mirrors, what stop this mirror to
> regenerate all signatures with a new key ?
> It also make maintainers change difficult, and doing genuine
> non-maintainer upload.

See the last point of my post.  The last step is to implement proper web
of trust functionality, so that some keys can be declared to be signing
keys.  Then a set of trusted keys can be shipped together with

That step is optional, because at least now I can fetch developer keys
by other means like a key server.

According to my solution Cabal warns for new and changed keys and asks
whether to trust them showing a fingerprint.


Key-ID: E5DD8D11 "Ertugrul Soeylemez <es at ertes.de>"
FPrint: BD28 3E3F BE63 BADD 4157  9134 D56A 37FA E5DD 8D11
Keysrv: hkp://subkeys.pgp.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130131/8a5882eb/attachment.pgp>

More information about the Haskell-Cafe mailing list