[Haskell-cafe] Improvements to package hosting and security

Tillmann Rendel rendel at informatik.uni-tuebingen.de
Sat May 2 10:43:52 UTC 2015


Hi,

[I decided to drop haskell-infrastructure at community.galois.com from the 
CC list because for my last message in this thread, I got some noise 
about moderation].

amindfv at gmail.com wrote:
> I think the idea is that package signing is not a requirement, but
> that git is a requirement for package signing. So users can still get
> the behavior that they get today, without git.

So there would be `cabal update --unsigned` and `cabal update --signed`
and the former doesn't need git?

I skimmed the the proposal at

https://github.com/commercialhaskell/commercialhaskell/wiki/Git-backed-Hackage-index-signing-and-distribution

and did not find this information there. Instead, I found this snippet:

> Especially in developing countries, it would be a real liability for
> Haskell if the first step before doing anything is having to download
> a 1GB Git archive. Especially considering that given the current
> growth curve, the Git repository with all content imported will
> likely be hitting 2GB by this time next year, and so on.

This sounds as if for all Haskell users, "the first step before doing 
anything" would have to be to use git.

   Tillmann

PS. BTW, check out this stack overflow question to understand why 
installing and configuring git will be hard for some Haskell users on 
Windows:

http://stackoverflow.com/questions/30000688/windows-loading-haskell-source-code-into-ghci


More information about the Haskell-Cafe mailing list