hackage, cabal-get, and security
ijones at syntaxpolice.org
Wed May 11 11:37:07 EDT 2005
Malcolm Wallace <Malcolm.Wallace at cs.york.ac.uk> writes:
> Isaac Jones <ijones at syntaxpolice.org> writes:
>> 1) Generate a gnupg key.
>> 2) use cabal-put to sign and upload a package
>> 3) cabal-get can then be used to download and install as before, but
>> first it checks the signatures of all the packages.
>> What do folks think of that?
> Personally, I think it sounds good.
> Security is becoming ever more important, and the Haskell community
> is growing, thereby increasing the currently remote possibility of
> deliberate malware. Since installation via hackage will be both
> automatic, and often performed with root access, it is essential
> to have a good security model from the beginning.
> Having said all that, I don't know the first thing about gnupg, or
> how to go about signing keys or anything like that. I imagine that
> for people in remote locations, bootstrapping into the web of trust
> might be significantly more of a barrier than they would like.
Since we will actually accept packages without signatures, I think
this isn't too bad of a problem. Users will get a warning if the key
is untrusted, and asked if they want to continue. Hopefully this will
present enough of a barrier for script-kiddies and an incentive for
packagers to get their keys signed.
Maybe the client should even reject untrusted packages and the end
user would have to go and twiddle some configuration somewhere to even
get the option to override it, that would encourage people to get
their keys signed even more :) Is that too harsh? Occasionally we may
have a problem with getting people into the keyring, but assuming we
can bootstrap from Debian's well-established web of trust, this
shouldn't be too bad.
More information about the Libraries