I've read the discussion about who is able to upload packages.. This is nice if you want to install most common packages.. But the packaging system is intended to save time. Thus what about I want to install an experimntal synthesizer which uses an experimental haskore interface from a person who hasn't registered his lib on hackage-db yet? In short: Would it be useful to allow speciyfing different download locations for dependencies in a cabal file? -- Lib.cabal -- depends: ExperimentalLib > 2.0 { location: http://person/haskell/ExperimentalLib.cabal } [...] This would give much more freedom .. I agree that it might be useful to "mask" those packages ... But its much more convinient to do cabal-install --allow-non-hackage-locations Lib than downloading/ installing/ updating those libs manually ? I think if you need total security you won't use this flag or use someithing like chroot (already mentioned) or user mode linux .. ;) But this issue adresses the question: What is hackage about: an automated installation system or an automated installation system + package list (centralized at hackagedb ?) Marc