[Haskell-community] Hackage Roots of Trust
Gershom B
gershomb at gmail.com
Wed Sep 16 01:35:34 UTC 2015
At the Haskell Implementor's Workshop at ICFP, Duncan gave a talk on
the work on security and package infrastructure that has been going
on:
https://www.youtube.com/watch?v=D9juHHlnayI
One element of that, which was turned over the committee to figure out
is who our actual roots of trust would be, in the same sense that
there are root certificates for TLS and https authentication, etc.
at the Haskell Symposium itself, I gave a quick lightning talk on the
work the committee had done in this regard:
https://www.youtube.com/watch?v=U8ISiSXV2c0
(If you are interested in verifying your communications with Duncan by
the way, and if you trust the video is undoctored, then his GPG key
fingerprint appears on it, which may be of some use.)
We did in fact get some keysigning done at the conference, and we also
secured a fair number of keys from the roots of trust we co-ordinated,
though some followup work remains to be done there. We certainly
already have enough in hand to bootstrap the process as the hackage
security work gets fully rolled out.
One related discussion we started to have was if we might want to do
haskell community funding for "phase two" of the update framework
rollout, as discussed in Duncan's talk -- that phase where we not only
implement server trust and signing, but also author signing.
Apropos of nothing, but a related thought/question I had was if there
would be interest in making cabal files themselves more potentially
secure in the manner of the LIO / HLIO work [1]. Having a better chain
of trust seems to somewhat obviate the need here, but it does seem
like something worth considering. Similar mechanisms might also be
worth integrating into template haskell IO for that matter. However,
one concern is that the worth of these approaches depends in part on
good SafeHaskell takeup, which has a whole bunch of obstacles in
itself :-)
Cheers,
Gershom
[1] http://www.cse.chalmers.se/~russo/publications_files/hybrid-icfp2015.pdf
and https://hackage.haskell.org/package/lio-0.11.5.0 and
http://www.scs.stanford.edu/~deian/pubs/stefan:2014:building-haskell.pdf
More information about the Haskell-community
mailing list