hackage, cabal-get, and security

Bulat Ziganshin bulatz at HotPOP.com
Tue May 10 14:23:53 EDT 2005

Hello Isaac,

Tuesday, May 10, 2005, 9:21:15 PM, you wrote:

IJ> I'm working with Lemmih on the designs for Hackage and Cabal-Get.
IJ> He's a real trooper, since I'm a total "customer" and have hardly
IJ> written a line of code for these tools, but keep coming up with new
IJ> requirements.

how about taking Perl's CPAN and Ruby's Yaraa for a model?

IJ> The basic interaction we would like is this:

IJ> 1) upload a tarball of a cabal-ized tool to the web site

IJ> 2) the tarball gets unpacked, the .cabal file is read and added to the
IJ>    database

IJ> 3) Now, an end user can say "cabal-get pkgname" and it'll download
IJ> pkgname and all of its build-depends, compile and install them. Use
IJ> the --user flag if you want to install it all locally.  Yay!

IJ> This actually already works :)

i think, that many packages authors will prefer to hold archives on
their own sites. and imho hackage must provide ability to just send
description (package.cabal) to main site, in this case this file must
include exact url to download full package. also .cabal file must
include "home page" of package and email address of author

IJ> The big problem actually is that this is in no way secure, and just
IJ> begging to be exploited.  Boo.

imho best way to deal with this problem is "reserving" package names
with password. after that, to change any information belonging to
package, password must be supplied

IJ> 1) Generate a gnupg key. preferably get it signed by someone in my web
IJ>    of trust (I'll try to organize a keysigning party at ICFP).

yes, yes, we can also use our personal FBI numbers. anyway, someone not
working in FBI can't be a good Haskeller :)

Best regards,
 Bulat                            mailto:bulatz at HotPOP.com

More information about the Libraries mailing list