[Haskell-cafe] Improvements to package hosting and security

Michael Snoyman michael at snoyman.com
Sun May 3 05:30:05 UTC 2015

There's actually a really easy solution to "have Git installed": bundle it
with MinGHC. Another alternative would be to use one of the many libraries
out there that can talk the Git wire protocols. In fact, if anyone is
worried about the standard Git tool not being secure enough (either due to
C code or some other reason), we could have a Haskell-based Git
implementation that focuses on security. There would still be big
advantages to using the Git protocol in that case, such as a well
understood protocol to work against and easy interop with existing tools.

That said, I think bundling the necessary Git tooling with MinGHC is an
easy win.

On Sat, May 2, 2015 at 1:44 PM Tillmann Rendel <
rendel at informatik.uni-tuebingen.de> wrote:

> Hi,
> [I decided to drop haskell-infrastructure at community.galois.com from the
> CC list because for my last message in this thread, I got some noise
> about moderation].
> amindfv at gmail.com wrote:
> > I think the idea is that package signing is not a requirement, but
> > that git is a requirement for package signing. So users can still get
> > the behavior that they get today, without git.
> So there would be `cabal update --unsigned` and `cabal update --signed`
> and the former doesn't need git?
> I skimmed the the proposal at
> https://github.com/commercialhaskell/commercialhaskell/wiki/Git-backed-Hackage-index-signing-and-distribution
> and did not find this information there. Instead, I found this snippet:
> > Especially in developing countries, it would be a real liability for
> > Haskell if the first step before doing anything is having to download
> > a 1GB Git archive. Especially considering that given the current
> > growth curve, the Git repository with all content imported will
> > likely be hitting 2GB by this time next year, and so on.
> This sounds as if for all Haskell users, "the first step before doing
> anything" would have to be to use git.
>    Tillmann
> PS. BTW, check out this stack overflow question to understand why
> installing and configuring git will be hard for some Haskell users on
> Windows:
> http://stackoverflow.com/questions/30000688/windows-loading-haskell-source-code-into-ghci
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150503/9fddcdb3/attachment.html>

More information about the Haskell-Cafe mailing list