hackage, cabal-get, and security

Bulat Ziganshin bulatz at HotPOP.com
Wed May 18 12:53:31 EDT 2005

Hello Isaac,

Wednesday, May 18, 2005, 8:07:04 PM, you wrote:

IJ> If someone doesn't want to take part in the keysigning, they don't
IJ> have to.  The user will be warned that the authenticity of the package
IJ> can't be verified.

i think that author of the software make the decision whether it
trust or don't trust package signed with home-made key. warning user
about this is too-protective. another story is when package downloaded
not as part of compile-some-big-app process, but by the programmer for
his own use

i think that to make my viewpoint more obvious, i must tell just about
yourself. i have written several libs, and i don't know personally
Simon PJ or Haskell Church, so noone can say that me is really me :)

is that mean that my libs will be second-sort? :)

next. i, the Joe Lucky, install the software, written by someone. it's
really matter for me, that this software relies on packages written by
trusted or untrusted authorities?

next. i don't know how to use gpg and don't want to know :)  you say
that security will get more important because number of Haskell users
will grow. actually, creating complex security scheme is excellent way
to solve this problem - number of Haskell users will just not grow
because this scheme will be too complex. remember - when number of
peoples grow, their average qualification are falls down

i don't love to debate, but creating CPAN-like packages library is
one of key steps to rising language popularity. and i definitely want
that entrance ticket to this library will cost less than $50 ;)

Best regards,
 Bulat                            mailto:bulatz at HotPOP.com

More information about the Libraries mailing list