On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
Minor update. Some of your points about checking signatures before unpacking made me curious about what Git had to offer in these circumstances. For those like me who were unaware of the functionality, it turns out that Git has the option to reject non-signed commits, just run:
git pull --verify-signatures
I've set up the Travis job that pulls from Hackage to sign its commits with the GPG key I've attached to this email (fingerprint E595 AD42 14AF A6BB 1552 0B23 E40D 74D6 D6CF 60FD).
Nice one! One thing I, as a developer of a tool that consumes the Hackage index[1], would like to see is a bit more meta data, in particular - alternative download URLs for the source - hashes of the source (probably needs to be per URL) I thought I saw something about this in the thread, but going through it again I can't seem to find it. Would this sort of thing also be included in "improvements to package hosting"? /M [1]: http://hackage.haskell.org/package/cblrepo -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus There's a big difference between making something easy to use and making it productive. -- Adam Bosworth