Re: [Haskell-cafe] Offer to mirror Hackage

On Wed, Dec 08, 2010 at 11:41:31AM +0100, Ketil Malde wrote:

Vincent Hanquez writes:

...

You have to start somewhere with security.

Yes. And you should start with assessing how much cost and inconvenience you are willing to suffer for the improvement in security you gain. In this case, my assertion is that the marginal worsening of security by having a mirror of hackage even without signing of packages etc., is less than the marginal improvement in usability.

I'm a bit surprised to find that there seems to be a lot of opposition to this view, but perhaps the existing structure is more secure than I thought? Or the benefit of a mirror is exaggerated - I can see how it would be annoying to have hackage down, but it hasn't happened to my, so perhaps those complaining about it just were very unlucky.

Having one glaring security problem is not a good reason to introduce another one. It just makes more to fix. As for mirroring, I'm all in favor of any random user doing a mirror. The only place I see a problem is making those "official" mirrors. If you were to mirror and announce that you had one then I can trust you or not. There are some people I would trust to have valid mirrors. Darrin