hackage, cabal-get, and security

Malcolm Wallace Malcolm.Wallace at cs.york.ac.uk
Wed May 11 06:27:27 EDT 2005

Isaac Jones <ijones at syntaxpolice.org> writes:

> 1) Generate a gnupg key.
> 2) use cabal-put to sign and upload a package
> 3) cabal-get can then be used to download and install as before, but
>    first it checks the signatures of all the packages.
> What do folks think of that?

Personally, I think it sounds good.

Security is becoming ever more important, and the Haskell community
is growing, thereby increasing the currently remote possibility of
deliberate malware.  Since installation via hackage will be both
automatic, and often performed with root access, it is essential
to have a good security model from the beginning.  The one you
propose seems to have a low overhead, after the initial barrier of
establishing trust.

Having said all that, I don't know the first thing about gnupg, or
how to go about signing keys or anything like that.  I imagine that
for people in remote locations, bootstrapping into the web of trust
might be significantly more of a barrier than they would like.


More information about the Libraries mailing list