[Haskell-cafe] Improvements to package hosting and security

Michael Snoyman michael at snoyman.com
Fri Apr 17 03:25:17 UTC 2015

On Fri, Apr 17, 2015 at 1:01 AM Magnus Therning <magnus at therning.org> wrote:

> On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
> > Minor update. Some of your points about checking signatures before
> > unpacking made me curious about what Git had to offer in these
> > circumstances. For those like me who were unaware of the
> > functionality, it turns out that Git has the option to reject
> > non-signed commits, just run:
> >
> > git pull --verify-signatures
> >
> > I've set up the Travis job that pulls from Hackage to sign its
> > commits with the GPG key I've attached to this email (fingerprint
> > E595 AD42 14AF A6BB 1552  0B23 E40D 74D6 D6CF 60FD).
> Nice one!
> One thing I, as a developer of a tool that consumes the Hackage
> index[1], would like to see is a bit more meta data, in particular
> - alternative download URLs for the source
> - hashes of the source (probably needs to be per URL)
> I thought I saw something about this in the thread, but going through
> it again I can't seem to find it.  Would this sort of thing also be
> included in "improvements to package hosting"?
> /M
> [1]: http://hackage.haskell.org/package/cblrepo
My strawman proposal did include the idea of identifying a package via its
hash, and then providing redundant URLs for download (some of those URLs
possibly being non-HTTP, such as a special URL to refer to contents within
a Git repository). But as I keep saying, that was a strawman proposal, not
to be taken as a final design.

That said, simply adding that information to the 00-index file seems like
an easy win. The hashes, at the very least, would fit in well.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150417/8dfd0053/attachment.html>

More information about the Haskell-Cafe mailing list