On 17-04-2015 10:17, Michael Snoyman wrote:
> This is a great idea, thank you both for raising it. I was discussing
> something similar with others in a text chat earlier this morning. I've
> gone ahead and put together a page to cover this discussion:
>
> https://github.com/commercialhaskell/commercialhaskell/blob/master/proposal/improved-hackage-security.md
>
> The document definitely needs more work, this is just meant to get the ball
> rolling. As usual with the commercialhaskell repo, if anyone wants edit
> access, just request it on the issue tracker. Or most likely, send a PR and
> you'll get a commit bit almost magically ;)

Thank you. Just to make sure that I understand -- is this page only
meant to cover the original "strawman proposal" at the start of this
thread, or...?

Maybe you intend for this to be extended in a detailed way under the
"Long-term solutions" heading?

I was imagining a wiki page which could perhaps start out by collecting
all the currently identified possible threats in a table, and then all
"participants" could perhaps fill in how their suggestion addresses
those threats (or tell us why we shouldn't care about this particular
threat). Of course other relevent non-threat considerations might be
relevant to add to such a table, such as: how prevalent is the
software/idea we're basing this on? does this have any prior
implementation (e.g. the append-to-tar and expect that web servers will
behave sanely thing)? etc.

(I realize that I'm asking for a lot of work, but I think it's going to
be necessary, at least if there's going to be consensus and not just a
de-facto "winner".)