[Haskell-cafe] Improvements to package hosting and security

Magnus Therning magnus at therning.org
Fri Apr 17 08:56:46 UTC 2015 

On 17 April 2015 at 05:25, Michael Snoyman <michael at snoyman.com> wrote:
> On Fri, Apr 17, 2015 at 1:01 AM Magnus Therning <magnus at therning.org> wrote:
>> On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
>> > Minor update. Some of your points about checking signatures before
>> > unpacking made me curious about what Git had to offer in these
>> > circumstances. For those like me who were unaware of the
>> > functionality, it turns out that Git has the option to reject
>> > non-signed commits, just run:
>> >
>> > git pull --verify-signatures
>> >
>> > I've set up the Travis job that pulls from Hackage to sign its
>> > commits with the GPG key I've attached to this email (fingerprint
>> > E595 AD42 14AF A6BB 1552  0B23 E40D 74D6 D6CF 60FD).
>>
>> Nice one!
>>
>> One thing I, as a developer of a tool that consumes the Hackage
>> index[1], would like to see is a bit more meta data, in particular
>>
>> - alternative download URLs for the source
>> - hashes of the source (probably needs to be per URL)
>>
>> I thought I saw something about this in the thread, but going through
>> it again I can't seem to find it.  Would this sort of thing also be
>> included in "improvements to package hosting"?
>>
>> /M
>>
>> [1]: http://hackage.haskell.org/package/cblrepo
>>
>>
>
> My strawman proposal did include the idea of identifying a package via its
> hash, and then providing redundant URLs for download (some of those URLs
> possibly being non-HTTP, such as a special URL to refer to contents within a
> Git repository). But as I keep saying, that was a strawman proposal, not to
> be taken as a final design.
>
> That said, simply adding that information to the 00-index file seems like an
> easy win. The hashes, at the very least, would fit in well.

I knew I'd seen it somewhere :)

Yes, the addition of more meta data is an easy win and can be done
before the dust has settled on the issue of how to achieve trust :)

One thing I personally think is nice with OCaml's opam is that its
package database is in a git repo (on github) and that adding packages
is a matter of submitting a patch.  I'd very much like to see a future
where I can get a package onto Hackage by

1. cloning the Hackage package git repo
2. add and commit a .cabal file and meta data about where my package
can be found, e.g. something like

        url="GIT=http://github/myname/mypkg.git;TAG=v1.0.2"
        sha512="..."

3. submit a pull request

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4
email: magnus at therning.org   jabber: magnus at therning.org
twitter: magthe               http://therning.org/magnus

More information about the Haskell-Cafe mailing list