searchPath and SSL <was: Short GPG HOWTO and Re: hackage, cabal-get, and security>

Isaac Jones ijones at
Tue May 17 16:30:28 EDT 2005

As a point of clarity, we're not discussing using SSL for Hackage,
this part of the thread is about Alex's SearchPath tool.

> Look, cryptographically GPG and SSL are very similar.  With either
> one, if you trust long chains of signings, you are at risk that any
> intervening key has been compromised.

I agree.  My only question is really in tool support and keyring /
certificate management.  For instance, are there tools like gnupg
where you can interactively browse and sign keys, upload signatures to
central keystores, have sets of trusted vs untrusted keys, etc.

I've found SSL to be very hard to work with, though I suppose you
could automate things, and I wouldn't be surprised to hear if there
are tools like gnupg for SSL certs.  I'd be glad to hear that,
actually :)

> The real differentiator between SSL and GPG is that the former is
> transport level while the later is file level.  With SSL, I think you
> suffer additional complexity each time you set up a web server.  With
> GPG, you suffer additional complexity each time you create a new file
> to share.  

We don't "suffer additional complexity".  You merely type in your key
password when uploading a single tarball.  That is "cabal-put
foo-1.0.tgz" ... type your password.

> I think most people create many more files to share than they set up
> web servers to serve them so I prefer the SSL model.

Many people who want to share packages don't configure their own web



More information about the Libraries mailing list