[Haskell-cafe] Improvements to package hosting and security

Thu Apr 16 12:39:30 UTC 2015

I'd like to step back from the technical discussion here for a moment
and expand a bit on a point at the end of my previous email, which is
really about process.

After I first uploaded a blog post about service architectures and
package distribution that was a recent interest of mine, I was very
surprised and happy to hear that actually several parties had not only
been already thinking about these very topics but moreover already
have various small prototypes lying around. This was also the case for
*secure* package distribution. What puzzled me, however, is that this
came in the form of multiple private messages from mutiple sources
sometimes referring to multiple said parties only vaguely and without
identifying them. A similar story occurred when folks first started
evoking package signing some years ago.

Be it on robust identification of the provenance of packages,
distribution packages and their metadata, more robust sandboxes or any
other topic that touches upon our core infrastructure and tooling, it
would be really great if people made themselves known and came forth
with a) the requirements they seek to work against, b) their ideas to
solve them and c) the resources they need or are themselves willing to
bring to bear.

It ultimately hurts the community when people repeatedly say things to
the effect of, "yep, I hear you, interesting topic, I have a really
cool solution to all of what you're saying - will be done Real Soon
Now(tm)", or are happy to share details but only within a limited
circle of cognoscenti. Because the net result is that other interested
parties either unknowingly duplicate effort, or stall thinking that
others are tackling the issue, sometimes for years.

I know that the IHG has been interested in more secure package
distribution for a very long time now, so it's really great that
Duncan and Austin have now ("finally") taken the time to write up
their current plan, moreover with a discussion of how it addresses a
specific threat model, and make it known to the rest of the community
that they have secured partial funding from the IHG. I know there
other efforts out there, it would be great if they all came out of the
woodwork. And in the future, if we could all be mindful to *publish*
proposals and intents *upfront* when it comes to our shared community
infrastructure and community tooling (rather than months or years
later). I believe that's what is at the core of an *open* process for
community developments.

Ok, end of meta point, I for one am keen to dive back into the
technical points that have been brought up in this thread already. :)