hackage, cabal-get, and security

Isaac Jones ijones at syntaxpolice.org
Wed May 18 14:10:11 EDT 2005


Bulat Ziganshin <bulatz at HotPOP.com> writes:

> Hello Isaac,
>
> Wednesday, May 18, 2005, 8:07:04 PM, you wrote:
>
> IJ> If someone doesn't want to take part in the keysigning, they don't
> IJ> have to.  The user will be warned that the authenticity of the package
> IJ> can't be verified.
>
> i think that author of the software make the decision whether it
> trust or don't trust package signed with home-made key. warning user
> about this is too-protective. another story is when package downloaded
> not as part of compile-some-big-app process, but by the programmer for
> his own use

The author can't decide whether the end-user should trust the author.

> i think that to make my viewpoint more obvious, i must tell just about
> yourself. i have written several libs, and i don't know personally
> Simon PJ or Haskell Church, so noone can say that me is really me :)
>
> is that mean that my libs will be second-sort? :)
>
> next. i, the Joe Lucky, install the software, written by someone. it's
> really matter for me, that this software relies on packages written by
> trusted or untrusted authorities?

I can't quite figure out what you're saying here, but the point is
that the end-user gets to decide who they trust.  If they don't mind
installing packages from a so-called "untrusted" source, then no big
deal.  Most people probably don't mind; those people may or may not
eventually be compromised by trusting random stuff downloaded from the
internet.

> next. i don't know how to use gpg and don't want to know :)  you say
> that security will get more important because number of Haskell users
> will grow. actually, creating complex security scheme is excellent way
> to solve this problem - number of Haskell users will just not grow
> because this scheme will be too complex. remember - when number of
> peoples grow, their average qualification are falls down

We intend to make the tools easy to use.

> i don't love to debate, but creating CPAN-like packages library is
> one of key steps to rising language popularity. and i definitely want
> that entrance ticket to this library will cost less than $50 ;)

I tried to make clear that Alexander Jacobson's SSL proposal is
completely different from the Hackage security proposal.  The hackage
security proposal doesn't cost any money.


peace,

  isaac


More information about the Libraries mailing list