[Haskell-cafe] Ticking time bomb

Ketil Malde ketil at malde.org
Thu Jan 31 12:53:00 CET 2013

Ertugrul Söylemez <es at ertes.de> writes:

> And that may even be more harmful, because an insecure system with a
> false sense of security is worse than an insecure system alone.

Yes.  As is clear to all, the current low level of security means that
nobody are _actually_ downloading stuff of Hackage, thank God.  Hackage
just exists for...well, I forget, but certainly not to distribute
software.  Right.

Sarcasm aside, to some extent, this is true.  I used to have a cron job
'cabal install'ing my packages off Hackage to ensure that they would
compile with the current offering of their dependencies.  But I decided
it was way too risky, and don't do it anymore.

> Let's do it properly.

You mean like how it was decisively dealt with when this was discussed
in 2008?


Or maybe more the way it was firmly handled when it was brought up again
in 2010? 


This looks increasingly like that time of year when the problem is
pointed out, the crypto geeks get together to construct the Optimal
Solution, and then everybody lose interest and move on to greener
pastures for a while.  Well, I don't think the perfect solution exists, and even if
it could be identified, it might not be implemented, and even if
were implemented, it might not be used.

We've just been incredibly lucky that nothing really bad has happened so
far.  Let's hope it lasts.

If I haven't seen further, it is by standing in the footprints of giants

More information about the Haskell-Cafe mailing list