Ertugrul Söylemez
People are using Hackage!
+1. And I keep telling people to use it. Sure, it'd be better if they used .debs, .rpms, or whatever goes on Mac and Windows. But that would mean I would need to build those packages, including maintaining systems with the respective OSes. I haven't even managed to do it for the systems I do use. The most simple and obvious threat is here that some random evil person gets a Hackage account, uploads a new version of a common package with a trojan, and waits for unsuspecting users to download and install it.
My proposal is:
1. Build the necessary machinery into Cabal to allow signing [...]
*MY* proposal is that: 0. Hackage sends an email to the previous uploader whenever a new version of a package is uploaded by somebody else. At least that way, I would be notified if it happened to my packages, and I would be able to check up on the situation, and rectify it. This is not to say that cryptographic signing is the wrong thing to do, but a very simple thing like this, which would probably take all of five minutes to implement, would reduce risk by a substantial amount. -k -- If I haven't seen further, it is by standing in the footprints of giants