Re: [Haskell-cafe] Ticking time bomb

12 Feb 2013

      The Python and Ruby communities are actively working on improving the
security of their packaging infrastructure. I haven't paid close attention
to any of the efforts so far, but anyone working on cabal/hackage security
should probably take a peek. I lurk on Python's catalog-sig list and here's
the interesting bits I've noticed from the past few weeks:

[Catalog-sig] [Draft] Package signing and verification process
http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html

[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html

Python PyPi Security Working Document:
https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CS...

Rubygems Threat Model:
http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html
https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb...

TUF: The Update Framework
https://www.updateframework.com/

On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done wrote:
...
Hey dude, it looks like we made the same project yesterday:
http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_pac...
Yours is nice as it doesn't depend on GPG. Although that could be a
nice thing because GPG manages keys. Dunno.
Another diff is that mine puts the .sig inside the .tar.gz, yours puts
it separate.
=)
...
On 01/30/2013 07:27 PM, Edward Z. Yang wrote:
...
https://status.heroku.com/incidents/489
Unsigned Hackage packages are a ticking time bomb.
I agree this is terrible, I've started working on this, but this is
quite a
bit of work and other priorities always pop up.
https://github.com/vincenthz/cabal
https://github.com/vincenthz/cabal-signature
My current implementation generate a manifest during sdist'ing in cabal,
and
have cabal-signature called by cabal on the manifest to create a
manifest.sign.
The main issue i'm facing is how to create a Web of Trust for doing all
On 31 January 2013 09:11, Vincent Hanquez  wrote:
the
...
public verification bits.
--
Vincent
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

Re: [Haskell-cafe] Ticking time bomb

Bob Ippolito