[Haskell-community] Hackage Roots of Trust

Fri Sep 18 20:12:50 UTC 2015

We can keep our eye on it, but our globalsign cert is fine for the
time being in my opinion.

For now, I'm happy to let Jason continue to manage the cert since
transferring it is potentially a pain?

In the future, turning management over to our admins seems a
reasonable course of action. One of the nice things about the roots of
trust system is that our package distribution is now secured
_regardless_ of our cert, so it seems good to keep the cert managed
the "typical" way (perhaps passing the register/renew stuff over to a
current committee member if we prefer) rather than having to reinvent
_all_ the wheels :-)

--gershom

On Wed, Sep 16, 2015 at 3:01 PM, Ryan Trinkle <ryan.trinkle at gmail.com> wrote:
> Would Let's Encrypt be appropriate?  I don't know too much about it, but
> it's "free, automated, and open", which sounds cool.  According to what
> they've been saying, it *should* be ready in time.
>
> On Wed, Sep 16, 2015 at 1:02 PM, Jason Dagit <dagitj at gmail.com> wrote:
>>
>> Somewhat related to this, I got an email reminder from GlobalSign today
>> saying our cert expires soon, mid-November. I've currently been the one that
>> registers/renews the cert. Perhaps part of the discussion around our roots
>> of trust will include a discussion of how to manage this cert?
>>
>> Thanks,
>> Jason
>>
>> On Tue, Sep 15, 2015 at 6:35 PM, Gershom B <gershomb at gmail.com> wrote:
>>>
>>> At the Haskell Implementor's Workshop at ICFP, Duncan gave a talk on
>>> the work on security and package infrastructure that has been going
>>> on:
>>>
>>> https://www.youtube.com/watch?v=D9juHHlnayI
>>>
>>> One element of that, which was turned over the committee to figure out
>>> is who our actual roots of trust would be, in the same sense that
>>> there are root certificates for TLS and https authentication, etc.
>>>
>>> at the Haskell Symposium itself, I gave a quick lightning talk on the
>>> work the committee had done in this regard:
>>>
>>> https://www.youtube.com/watch?v=U8ISiSXV2c0
>>>
>>> (If you are interested in verifying your communications with Duncan by
>>> the way, and if you trust the video is undoctored, then his GPG key
>>> fingerprint appears on it, which may be of some use.)
>>>
>>> We did in fact get some keysigning done at the conference, and we also
>>> secured a fair number of keys from the roots of trust we co-ordinated,
>>> though some followup work remains to be done there. We certainly
>>> already have enough in hand to bootstrap the process as the hackage
>>> security work gets fully rolled out.
>>>
>>> One related discussion we started to have was if we might want to do
>>> haskell community funding for "phase two" of the update framework
>>> rollout, as discussed in Duncan's talk -- that phase where we not only
>>> implement server trust and signing, but also author signing.
>>>
>>> Apropos of nothing, but a related thought/question I had was if there
>>> would be interest in making cabal files themselves more potentially
>>> secure in the manner of the LIO / HLIO work [1]. Having a better chain
>>> of trust seems to somewhat obviate the need here, but it does seem
>>> like something worth considering. Similar mechanisms might also be
>>> worth integrating into template haskell IO for that matter. However,
>>> one concern is that the worth of these approaches depends in part on
>>> good SafeHaskell takeup, which has a whole bunch of obstacles in
>>> itself :-)
>>>
>>> Cheers,
>>> Gershom
>>>
>>> [1]
>>> http://www.cse.chalmers.se/~russo/publications_files/hybrid-icfp2015.pdf
>>> and https://hackage.haskell.org/package/lio-0.11.5.0 and
>>> http://www.scs.stanford.edu/~deian/pubs/stefan:2014:building-haskell.pdf
>>> _______________________________________________
>>> Haskell-community mailing list
>>> Haskell-community at haskell.org
>>> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-community
>>
>>
>>
>> _______________________________________________
>> Haskell-community mailing list
>> Haskell-community at haskell.org
>> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-community
>>
>