The Python and Ruby communities are actively working on improving the security of their packaging infrastructure. I haven't paid close attention to any of the efforts so far, but anyone working on cabal/hackage security should probably take a peek. I lurk on Python's catalog-sig list and here's the interesting bits I've noticed from the past few weeks: [Catalog-sig] [Draft] Package signing and verification process http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html [Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html Python PyPi Security Working Document: https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CS... Rubygems Threat Model: http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb... TUF: The Update Framework https://www.updateframework.com/ On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done <chrisdone@gmail.com>wrote:
Hey dude, it looks like we made the same project yesterday:
http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_pac...
Yours is nice as it doesn't depend on GPG. Although that could be a nice thing because GPG manages keys. Dunno.
Another diff is that mine puts the .sig inside the .tar.gz, yours puts it separate.
=)
On 31 January 2013 09:11, Vincent Hanquez <tab@snarc.org> wrote:
On 01/30/2013 07:27 PM, Edward Z. Yang wrote:
https://status.heroku.com/incidents/489
Unsigned Hackage packages are a ticking time bomb.
I agree this is terrible, I've started working on this, but this is quite a bit of work and other priorities always pop up.
https://github.com/vincenthz/cabal https://github.com/vincenthz/cabal-signature
My current implementation generate a manifest during sdist'ing in cabal, and have cabal-signature called by cabal on the manifest to create a manifest.sign.
The main issue i'm facing is how to create a Web of Trust for doing all the public verification bits.
-- Vincent
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe