
Hi folks, We're doing an alpha release of the hackage security work today and we'd like to invite you all to help test it. In addition to the security improvements it includes automatic use of mirrors (including the server distributing a list of available public mirrors) and includes incremental downloads of the hackage index, so cabal update should be a lot faster. At this alpha stage we would like some but not too many users to try it out, so when things do break we don't have it break for too many people all at once. But subscribers to this list are just the kind of expert users who we'd like to try it out and report issues. In particular we're interested in any problems caused by crazy proxies and annoying things of that ilk. During the beta we'll make the whole thing a bit more user friendly to get more people to try it out. So for the moment you have to grab things from git branches etc. All the details are in this blog post: http://www.well-typed.com/blog/2015/07/hackage-security-alpha/ As it says there, report issues in the github bug tracker. Oh and I don't think we say it in the blog post but the idea is that for any of the new library dependences for the security stuff, if any of them are problematic we can just bundle them with cabal-install (we'll probably just bundle them all). The design deliberately keeps these dependencies to a minimum: SHA256 hashing, ed25519 signing/checking provided by minimal bundled C code. For the alpha the cabal-install integration just uses these as external dependencies. -- Duncan Coutts, Haskell Consultant Well-Typed LLP, http://www.well-typed.com/

Where exactly should I be looking for /snapshot.json? % curl -D - https://hackage.haskell.org/snapshot.json HTTP/1.1 404 Not Found Server: nginx/1.8.0 Content-Type: text/plain Content-Length: 43 Accept-Ranges: bytes Date: Wed, 08 Jul 2015 13:35:35 GMT Via: 1.1 varnish Age: 0 Connection: keep-alive X-Served-By: cache-fra1245-FRA X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1436362535.049275,VS0,VE132 Page not found: Sorry, it's just not here. On 08/07/15 16:08, Duncan Coutts wrote:
Hi folks,
We're doing an alpha release of the hackage security work today and we'd like to invite you all to help test it.
In addition to the security improvements it includes automatic use of mirrors (including the server distributing a list of available public mirrors) and includes incremental downloads of the hackage index, so cabal update should be a lot faster.
At this alpha stage we would like some but not too many users to try it out, so when things do break we don't have it break for too many people all at once. But subscribers to this list are just the kind of expert users who we'd like to try it out and report issues. In particular we're interested in any problems caused by crazy proxies and annoying things of that ilk.
During the beta we'll make the whole thing a bit more user friendly to get more people to try it out. So for the moment you have to grab things from git branches etc. All the details are in this blog post:
http://www.well-typed.com/blog/2015/07/hackage-security-alpha/
As it says there, report issues in the github bug tracker.
Oh and I don't think we say it in the blog post but the idea is that for any of the new library dependences for the security stuff, if any of them are problematic we can just bundle them with cabal-install (we'll probably just bundle them all). The design deliberately keeps these dependencies to a minimum: SHA256 hashing, ed25519 signing/checking provided by minimal bundled C code. For the alpha the cabal-install integration just uses these as external dependencies.

Hi Roman. On Wed, Jul 08, 2015 at 04:37:44PM +0300, Roman Cheplyaka wrote:
Where exactly should I be looking for /snapshot.json?
% curl -D - https://hackage.haskell.org/snapshot.json
They're provided on the two "mirrors", but not on the main Hackage server (yet): https://hackage.haskell.org/security-alpha/mirror1/snapshot.json https://hackage.haskell.org/security-alpha/mirror2/snapshot.json Cheers, Andres -- Andres Löh, Haskell Consultant Well-Typed LLP, http://www.well-typed.com Registered in England & Wales, OC335890 250 Ice Wharf, 17 New Wharf Road, London N1 9RF, England

On Wed, 2015-07-08 at 15:10 +0100, Andres Löh wrote:
Hi Roman.
On Wed, Jul 08, 2015 at 04:37:44PM +0300, Roman Cheplyaka wrote:
Where exactly should I be looking for /snapshot.json?
% curl -D - https://hackage.haskell.org/snapshot.json
They're provided on the two "mirrors", but not on the main Hackage server (yet):
https://hackage.haskell.org/security-alpha/mirror1/snapshot.json https://hackage.haskell.org/security-alpha/mirror2/snapshot.json
Right, for the alpha we're just providing these two "mirrors" which are just static file sets (created by the hackage-security tool for managing file based repos). The plan is that for the beta we'll deploy the server side code on hackage.h.o meaning that the main "smart" server will provide all the required security metadata. -- Duncan Coutts, Haskell Consultant Well-Typed LLP, http://www.well-typed.com/
participants (3)
-
Andres Löh
-
Duncan Coutts
-
Roman Cheplyaka