hackage, cabal-get, and security

Isaac Jones ijones at syntaxpolice.org
Tue May 17 16:39:36 EDT 2005

Peter Simons <simons at cryp.to> writes:

Dominic Steinitz asks:
>  > 2. How do I get a trusted key given I am not likely to
>  > meet anybody "trusted" in the near future?
> Unfortunately, that is impossible. Your best bet is to have
> everybody sign everybody else's key at every possible
> opportunity, and that still won't mean that the key Joe Doe
> downloaded from the Internet will be for real.

For now, I'm thinking that a "trusted key", from Hackage's
perspective, will be a that has a path, which I trust, from me to the
keyholder.  In particular, in the short term at least, I'm hoping that
folks in Debian will be willing to sign Haskell users' keys.  This is
convenient since Debian Developers are scattered all over the world.
There may even be one near you ;) To me, this is a high-enough bar.
If anyone disagrees strongly with that, let me know, but please also
suggest a solution.

Why me?  Because I have physical access to the box that Hackage will
live on, and I have a good handful of trusted keys.

>  > 3. What constitutes a "trusted" key?
> There are no trusted keys. The decision of whether to trust
> a key or not _must_ be made by the person who downloads the
> package -- the user. Nobody else can make that decision for
> him.

Right.  Hackage will sign packages which are signed by keys that it
trusts, and cabal-get will come with a hackage public key.  I suppose
cabal-get should ask whether or not to trust the hackage key by
default upon installation.

BTW, if anyone wants to help hack on this, let me know :)



More information about the Libraries mailing list