+1 for keeping this alive.<div>Apart from the initial hype, now this issue is slowly losing attention but I think we should always keep the risk we are exposed to.</div><div>Being I will sound pessimistic, but we should learn from the &quot;competitors&quot; mistakes :)</div>
<div><br></div><div>Cheers,</div><div>A.</div><div><br><div class="gmail_quote">On 12 February 2013 08:49, Bob Ippolito <span dir="ltr">&lt;<a href="mailto:bob@redivi.com" target="_blank">bob@redivi.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The Python and Ruby communities are actively working on improving the security of their packaging infrastructure. I haven&#39;t paid close attention to any of the efforts so far, but anyone working on cabal/hackage security should probably take a peek. I lurk on Python&#39;s catalog-sig list and here&#39;s the interesting bits I&#39;ve noticed from the past few weeks:<div>

<br></div><div>[Catalog-sig] [Draft] Package signing and verification process</div><div><a href="http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html" target="_blank">http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html</a><br>

</div><div><br></div><div>[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security<br></div><div><a href="http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html" target="_blank">http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html</a><br>

</div><div><br></div><div>Python PyPi Security Working Document:<br></div><div><a href="https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CSZYA/edit" target="_blank">https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CSZYA/edit</a><br>

</div><div><br></div><div>Rubygems Threat Model:<br></div><div><div><div><a href="http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html" target="_blank">http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html</a><br>

</div><div></div><div><a href="https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb_SA/edit" target="_blank">https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb_SA/edit</a></div>
<div><br></div>
</div></div><div>TUF: The Update Framework</div><div><a href="https://www.updateframework.com/" target="_blank">https://www.updateframework.com/</a><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">

On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done <span dir="ltr">&lt;<a href="mailto:chrisdone@gmail.com" target="_blank">chrisdone@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Hey dude, it looks like we made the same project yesterday:<br>
<br>
<a href="http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/" target="_blank">http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/</a><br>


<br>
Yours is nice as it doesn&#39;t depend on GPG. Although that could be a<br>
nice thing because GPG manages keys. Dunno.<br>
<br>
Another diff is that mine puts the .sig inside the .tar.gz, yours puts<br>
it separate.<br>
<br>
=)<br>
<div><div><br>
On 31 January 2013 09:11, Vincent Hanquez &lt;<a href="mailto:tab@snarc.org" target="_blank">tab@snarc.org</a>&gt; wrote:<br>
&gt; On 01/30/2013 07:27 PM, Edward Z. Yang wrote:<br>
&gt;&gt;<br>
&gt;&gt; <a href="https://status.heroku.com/incidents/489" target="_blank">https://status.heroku.com/incidents/489</a><br>
&gt;&gt;<br>
&gt;&gt; Unsigned Hackage packages are a ticking time bomb.<br>
&gt;&gt;<br>
&gt; I agree this is terrible, I&#39;ve started working on this, but this is quite a<br>
&gt; bit of work and other priorities always pop up.<br>
&gt;<br>
&gt; <a href="https://github.com/vincenthz/cabal" target="_blank">https://github.com/vincenthz/cabal</a><br>
&gt; <a href="https://github.com/vincenthz/cabal-signature" target="_blank">https://github.com/vincenthz/cabal-signature</a><br>
&gt;<br>
&gt; My current implementation generate a manifest during sdist&#39;ing in cabal, and<br>
&gt; have cabal-signature called by cabal on the manifest to create a<br>
&gt; manifest.sign.<br>
&gt;<br>
&gt; The main issue i&#39;m facing is how to create a Web of Trust for doing all the<br>
&gt; public verification bits.<br>
&gt;<br>
&gt; --<br>
&gt; Vincent<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; Haskell-Cafe mailing list<br>
&gt; <a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a><br>
&gt; <a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>
<br>
_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a><br>
<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org">Haskell-Cafe@haskell.org</a><br>
<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>
<br></blockquote></div><br></div>