[Haskell-cafe] Improvements to package hosting and security

Magnus Therning magnus at therning.org
Thu Apr 16 22:01:22 UTC 2015

On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
> Minor update. Some of your points about checking signatures before
> unpacking made me curious about what Git had to offer in these
> circumstances. For those like me who were unaware of the
> functionality, it turns out that Git has the option to reject
> non-signed commits, just run:
> git pull --verify-signatures
> I've set up the Travis job that pulls from Hackage to sign its
> commits with the GPG key I've attached to this email (fingerprint
> E595 AD42 14AF A6BB 1552  0B23 E40D 74D6 D6CF 60FD).

Nice one!

One thing I, as a developer of a tool that consumes the Hackage
index[1], would like to see is a bit more meta data, in particular

- alternative download URLs for the source
- hashes of the source (probably needs to be per URL)

I thought I saw something about this in the thread, but going through
it again I can't seem to find it.  Would this sort of thing also be
included in "improvements to package hosting"?


[1]: http://hackage.haskell.org/package/cblrepo

Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus at therning.org   jabber: magnus at therning.org
twitter: magthe               http://therning.org/magnus

There's a big difference between making something easy to use and
making it productive.
     -- Adam Bosworth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150417/5fff4046/attachment.sig>

More information about the Haskell-Cafe mailing list