hackage, cabal-get, and security

Dominic Steinitz dominic.steinitz at blueyonder.co.uk
Thu May 19 15:19:12 EDT 2005

>Peter Simons <simons at cryp.to <http://www.haskell.org/mailman/listinfo/libraries>> writes:
>Dominic Steinitz asks:
>>/  > 2. How do I get a trusted key given I am not likely to
>/>/  > meet anybody "trusted" in the near future?
>/>/ Unfortunately, that is impossible. Your best bet is to have
>/>/ everybody sign everybody else's key at every possible
>/>/ opportunity, and that still won't mean that the key Joe Doe
>/>/ downloaded from the Internet will be for real.
>For now, I'm thinking that a "trusted key", from Hackage's
>perspective, will be a that has a path, which I trust, from me to the
>keyholder.  In particular, in the short term at least, I'm hoping that
>folks in Debian will be willing to sign Haskell users' keys.  This is
>convenient since Debian Developers are scattered all over the world.
>There may even be one near you ;) To me, this is a high-enough bar.
>If anyone disagrees strongly with that, let me know, but please also
>suggest a solution.
>Why me?  Because I have physical access to the box that Hackage will
>live on, and I have a good handful of trusted keys.

I'm not sure I appreciated this. Are you saying that the package builder 
signs with their key and then uploads it and you sign it?

>>/  > 3. What constitutes a "trusted" key?
>/>/ There are no trusted keys. The decision of whether to trust
>/>/ a key or not _must_ be made by the person who downloads the
>/>/ package -- the user. Nobody else can make that decision for
>/>/ him.
>Right.  Hackage will sign packages which are signed by keys that it
>trusts, and cabal-get will come with a hackage public key.  I suppose
>cabal-get should ask whether or not to trust the hackage key by
>default upon installation.
So the package installer trusts the hackage key but not the package 
builder's key? This implies you trust the package builder's key 
(somehow) and sign the package with the hackage key. What happens if you 
are not available? How do you do delegation?

I'm still not clear how keys get revoked in pgp. If the hackage key gets 
compromised what happens? If the package builder's key gets compromised 
what happens? I assume you have to revoke the hackage key and the 
builder has to revoke their key. Is my understanding correct?

Another question which I don't think has been answered: suppose I become 
untrustworthy (I start putting trojans in my code) what happens? I 
assume the answer is you, as gatekeeper, find out and then no longer 
sign my code with the hackage key?

>BTW, if anyone wants to help hack on this, let me know :)
I'd be happy to help if you let me know what needs doing.


More information about the Libraries mailing list