[Haskell-cafe] Improvements to package hosting and security
mboes at tweag.net
Thu Apr 16 21:03:02 UTC 2015
> Incidentally, having read your post on splitting things up a bit when I
> got back from holiday, I agree there are certainly valid complaints
> there. I'm not at all averse to factoring the hackage-server
> implementation slightly differently, perhaps so that the core index and
> package serving is handled by a smaller component (e.g. a dumb http
> server). For 3rd party services, the goal has always been for the
> hackage-server impl to provide all of its data in useful formats. No
> doubt that can be improved. Pull requests gratefully accepted.
Awesome. Sounds like we're in broad agreement.
> I see this security stuff as a big deal for the reliability because it
> will allow us to use public untrusted mirrors. That's why it's important
> to cover every package. That and perhaps a bit of refactoring of the
> hackage server should give us a very reliable system.
Indeed - availability by both reliability and redundancy. I still have
some catching up to do on the technical content of your proposal and
others - let me comment on that later. But either way I can certainly
agree with the goal of reducing the size of the trusted base while
simultaneously expanding the number of points of distribution.
In the meantime, mirrors already exist (e.g.
http://hackage.fpcomplete.com/), but as you say, they need to be
trusted, in addition to having to trust Hackage.
Thanks again for your detailed blog post and the context it provides.
More information about the Haskell-Cafe