hackage, cabal-get, and security

Isaac Jones ijones at syntaxpolice.org
Wed May 18 19:04:09 EDT 2005

I don't have time to respond point-for-point, but I'll just outline
where Alex has once again grossly mis-characterized things.

A lot of what he says about the advantages of SSL over GPG are only
true insofar as SSL does not solve these problems at all.

Also, Hackage is coupled with a tool called cabal-get which actually
does the installation onto the end-user's machine, so his
characterization of Hackage as simply a package database is also
incorrect (HackageDB is the database part.)

His assertion that no one uses codesigning is also incorrect.  Is used
very successfully in the Debian GNU/Linux system for a nearly
identical problem.  Debian is renowned for its packaging solutions.

The difficulties with using GPG can be simplified by writing wrapper
tools.  That has been the plan all along.

The web of trust will _not_ prevent people who don't know SimonPJ from
distributing libraries, everyone will be able to distribute libraries.

I hope by now people learn to take Alex's bold assertions with a grain
of salt.  I wouldn't keep following up to these emails except that
folks keep asking me personally if he's right.  I don't know if I have
time to continue pointing out exactly where his mis-characterizations
lie, but I hope that doesn't mean that he will take away our mindshare
by speaking untruths about our tools.



More information about the Libraries mailing list