[Haskell-cafe] Improvements to package hosting and security

Bardur Arantsson spam at scientician.net
Fri Apr 17 04:50:50 UTC 2015


On 17-04-2015 05:34, Michael Snoyman wrote:

>> I wrote up a strawman proposal last week[5] which clearly needs work to
> be a realistic option. My question is: are people interested in moving
> forward on this? If there's no interest, and everyone is satisfied with
> continuing with the current Hackage-central-authority, then we can proceed
> with having reliable and secure services built around Hackage. But if
> others- like me- would like to see a more secure system built from the
> ground up, please say so and let's continue that conversation.

You say "more secure". Against what? What's the threat model? (Again,
sorry if I missed it, it's been a long thread.)

Yes, I'd definitely like a more "secure system" against many/all of the
threats idenfied in e.g. TUF (perhaps even more, if realistic), but it's
hard to evaluate a proposal without an explicitly spelled out threat
model. This where adopting bits of TUF seems a lot more appealing than a
home-brewed model, at least if we can remain confident that those bits
actually mitigates the threats that we want covered.

Regards,



More information about the Haskell-Cafe mailing list