hackage, cabal-get, and security
ijones at syntaxpolice.org
Wed May 18 14:10:11 EDT 2005
Bulat Ziganshin <bulatz at HotPOP.com> writes:
> Hello Isaac,
> Wednesday, May 18, 2005, 8:07:04 PM, you wrote:
> IJ> If someone doesn't want to take part in the keysigning, they don't
> IJ> have to. The user will be warned that the authenticity of the package
> IJ> can't be verified.
> i think that author of the software make the decision whether it
> trust or don't trust package signed with home-made key. warning user
> about this is too-protective. another story is when package downloaded
> not as part of compile-some-big-app process, but by the programmer for
> his own use
The author can't decide whether the end-user should trust the author.
> i think that to make my viewpoint more obvious, i must tell just about
> yourself. i have written several libs, and i don't know personally
> Simon PJ or Haskell Church, so noone can say that me is really me :)
> is that mean that my libs will be second-sort? :)
> next. i, the Joe Lucky, install the software, written by someone. it's
> really matter for me, that this software relies on packages written by
> trusted or untrusted authorities?
I can't quite figure out what you're saying here, but the point is
that the end-user gets to decide who they trust. If they don't mind
installing packages from a so-called "untrusted" source, then no big
deal. Most people probably don't mind; those people may or may not
eventually be compromised by trusting random stuff downloaded from the
> next. i don't know how to use gpg and don't want to know :) you say
> that security will get more important because number of Haskell users
> will grow. actually, creating complex security scheme is excellent way
> to solve this problem - number of Haskell users will just not grow
> because this scheme will be too complex. remember - when number of
> peoples grow, their average qualification are falls down
We intend to make the tools easy to use.
> i don't love to debate, but creating CPAN-like packages library is
> one of key steps to rising language popularity. and i definitely want
> that entrance ticket to this library will cost less than $50 ;)
I tried to make clear that Alexander Jacobson's SSL proposal is
completely different from the Hackage security proposal. The hackage
security proposal doesn't cost any money.
More information about the Libraries