[Haskell-cafe] [haskell-infrastructure] Improvements to package hosting and security

[Mathieu Boespflug]

> In the future, we can at first optionally, and then later on a stricter basis encourage and then enforce signing. I think this is a good idea.
>
> But, and here we apparently disagree completely, it seems to me that everything else is not and should not be the job of a centralized server.

Actually, I think you and Michael are in violent *agreement* on this
particular point. At the core of the gist that was pointed to earlier
in this thread [1], is the idea that we should have some kind of
central notepad, where anyone is allowed to scribble anything they
like, even add pointers to packages that are completely broken, don't
build, or are malicious trojan horses. Then, it's up to end users to
filter out the wheat from the chaff. In particular, it's up to the
user to pretend those scribbles that were added by untrusted sources
were just never there, *according to the users own trust model*. The
central notepad does not enforce any particular trust model. It just
provides sufficient mechanism so that the information necessary to
support common trust models, such as WoT of GPG keys, can be uploaded
and/or pointed to and found.

In this way, any trust model can be supported. We could refactor
Hackage on top of this notepad, and have Hackage upload metadata about
those scribbles that *it* thinks are legit, say because Hackage
performed the scribble itself on behalf of some user, but only did so
after authenticating said user, according to its own notion of
authentication.

Users are free to say "I trust any scribble to the notepad about any
package that was added by an authenticated Hackage user". Or "I only
trust scribbles from my Haskell friends whom I have met at ICFP and on
that occasion exchanged keys". Or a union of both. Or anything else
really.

[1] https://gist.github.com/snoyberg/732aa47a5dd3864051b9