[Haskell-cafe] Improvements to package hosting and security

Francesco Ariis fa-ml at ariis.it
Mon Apr 13 12:18:48 UTC 2015

On Mon, Apr 13, 2015 at 10:02:45AM +0000, Michael Snoyman wrote:
> I wrote up a strawman proposal last week[5] which clearly needs work to be
> a realistic option. My question is: are people interested in moving forward
> on this? If there's no interest, and everyone is satisfied with continuing
> with the current Hackage-central-authority, then we can proceed with having
> reliable and secure services built around Hackage. But if others- like me-
> would like to see a more secure system built from the ground up, please say
> so and let's continue that conversation.

I finished reading the proposal, the only minor remark I have is on this

    " Each signature may be revoked using standard GPG revokation.

It is the /key/ being revoked really, not the single signature (in our case
it would mean revoking every-package-version-or-revision-signed-by-that-key).
This in turn highlights the need for a well defined process on how to
handle "key transitions" (task left to the single implementators).

A distributed and secure hackage sounds like a dream, I really hope this
comes to life!

More information about the Haskell-Cafe mailing list