hackage, cabal-get, and security

S. Alexander Jacobson alex at alexjacobson.com
Thu May 19 10:15:07 EDT 2005

On Wed, 18 May 2005, Isaac Jones wrote:
> Also, Hackage is coupled with a tool called cabal-get which actually
> does the installation onto the end-user's machine, so his
> characterization of Hackage as simply a package database is also
> incorrect (HackageDB is the database part.)

Perhaps, I wasn't clear.  To me the most valuable thing about Hackage 
is that it provides a directory of already implemented functionality 
that developers may want to use.  I was silent about cabal-get because 
I don't think users who are not building packages should ever have to 
worry about dealing with package names.

SearchPath is intended to eventually abstract out the whole notion of 
package names.  It looks at all the imported module in the modules you 
are passing to GHC, finds implementations for them on the Internet and 
downloads/installs them if necessary all without the user having even 
to think about package names.

Note: right now it handles darcs/svn repositories but not packages. 
I hope to add package functionality soon (perhaps using cabal-get for 

> His assertion that no one uses codesigning is also incorrect.  Is used
> very successfully in the Debian GNU/Linux system for a nearly
> identical problem.  Debian is renowned for its packaging solutions.

Actually, the Debian model maps more closely to signing module maps 
than it does to signing packages.  Or more particularly, Debian 
provides you with no help in validating any package not part of a 
release.  Moreover, as I noted in my prior message, the Debian model 
is particularly irrelevant to the operation of Hackage's role in 
reliably mapping package names to URLs.

> The difficulties with using GPG can be simplified by writing wrapper
> tools.  That has been the plan all along.

That doesn't change the fact that it forces users to attend 
key-signing parties.  Note that Debian in fact relies on key 
signing parties.

> I hope by now people learn to take Alex's bold assertions with a grain
> of salt.  I wouldn't keep following up to these emails except that
> folks keep asking me personally if he's right.  I don't know if I have
> time to continue pointing out exactly where his mis-characterizations
> lie, but I hope that doesn't mean that he will take away our mindshare
> by speaking untruths about our tools.

Isaac, I thought the goal here was to improve things for the Haskell 
community not to build midnshare for a set of tools.  Personally, I 
hope that Hackage succeeds and does for Haskell what CPAN does for 
Perl.  Getting all defensive about "our tools" is just unhelpful.


S. Alexander Jacobson tel:917-770-6565 http://alexjacobson.com

More information about the Libraries mailing list