[Haskell-cafe] Improvements to package hosting and security

Michael Snoyman michael at snoyman.com
Thu Apr 30 07:21:53 UTC 2015


On Thu, Apr 30, 2015 at 10:08 AM Jeremy <voldermort at hotmail.com> wrote:

> Mathieu Boespflug-4 wrote
> > We're not introducing dependencies on dynamically linked system libraries
> > that makes tooling hard to distribute. We're not asking users to install
> > anything new that isn't already a staple of most developer desktops
>
> My sole concern with this is that git is often not present on build
> servers,
> which may be minimal cloud VMs. Here's what I get when I try to install git
> on mine:
>
> # apt install git --no-install-recommends
> ...
> The following NEW packages will be installed:
>   git git-man libcurl3-gnutls liberror-perl libexpat1 libgdbm3 perl
> perl-modules
> 0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded.
> Need to get 10.4 MB of archives.
> After this operation, 57.2 MB of additional disk space will be used.
>
> Not unbearable, but not insignificant either.
>
>
>
One possible workflow[1] would be to have a dedicated system that uses Git
and GPG to pull the current versions of all packages and verify signatures.
That system could then create a snapshot of that information that could
simply be downloaded by a build server. In fact, there could even be a
public server available providing that functionality, with the caveat that-
like today- you'd need to trust that server to not be compromised.

I think this is what Mathieu was getting at when he said:

> Further, users can still opt-out of signature verification if they want
to.

Michael

[1] And possible may be too weak a word, as I have an implementation pretty
close to this already.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150430/80768463/attachment.html>


More information about the Haskell-Cafe mailing list