[Haskell-cafe] Ongoing IHG work to improve Hackage security

Duncan Coutts duncan at well-typed.com
Thu Apr 16 09:33:55 UTC 2015


The IHG members identified Hackage security as an important issue some
time ago and myself and my colleague Austin have been working on a
design and implementation.

The details are in this blog post:


We should have made more noise earlier about the fact that we're working
on this. We saw that it was important to finally write this up now
because other similar ideas are under active discussion and we don't
want to cause too much unnecessary duplication.

The summary is this:

We're implementing a system to significantly improve Hackage security.
It's based on a sensible design (The Update Framework) by proper crypto
experts. The basic system is fully automatic and covers all packages on
Hackage. A proposed extension would give further security improvements
for individual packages at the cost of a modest effort from package


It will also allow the secure use of untrusted public Hackage mirrors,
which is the simplest route to better Hackage reliability. As a bonus
we're including incremental index downloads to reduce `cabal update`
wait times. And it's all fully backwards compatible.

I should also note that our IHG funding covers the first phase of the
design, and for the second phase we would very much welcome others to
get involved with the detailed design and implementation (or join the
IHG and contribute further funding).

Duncan Coutts, Haskell Consultant
Well-Typed LLP, http://www.well-typed.com/

More information about the Haskell-Cafe mailing list