[Haskell-cafe] Improvements to package hosting and security
Magnus Therning
magnus at therning.org
Thu Apr 16 22:01:22 UTC 2015
On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
> Minor update. Some of your points about checking signatures before
> unpacking made me curious about what Git had to offer in these
> circumstances. For those like me who were unaware of the
> functionality, it turns out that Git has the option to reject
> non-signed commits, just run:
>
> git pull --verify-signatures
>
> I've set up the Travis job that pulls from Hackage to sign its
> commits with the GPG key I've attached to this email (fingerprint
> E595 AD42 14AF A6BB 1552 0B23 E40D 74D6 D6CF 60FD).
Nice one!
One thing I, as a developer of a tool that consumes the Hackage
index[1], would like to see is a bit more meta data, in particular
- alternative download URLs for the source
- hashes of the source (probably needs to be per URL)
I thought I saw something about this in the thread, but going through
it again I can't seem to find it. Would this sort of thing also be
included in "improvements to package hosting"?
/M
[1]: http://hackage.haskell.org/package/cblrepo
--
Magnus Therning OpenPGP: 0xAB4DFBA4
email: magnus at therning.org jabber: magnus at therning.org
twitter: magthe http://therning.org/magnus
There's a big difference between making something easy to use and
making it productive.
-- Adam Bosworth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150417/5fff4046/attachment.sig>
More information about the Haskell-Cafe
mailing list