On Fri, Apr 17, 2015 at 1:01 AM Magnus Therning
On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
Minor update. Some of your points about checking signatures before unpacking made me curious about what Git had to offer in these circumstances. For those like me who were unaware of the functionality, it turns out that Git has the option to reject non-signed commits, just run:
git pull --verify-signatures
I've set up the Travis job that pulls from Hackage to sign its commits with the GPG key I've attached to this email (fingerprint E595 AD42 14AF A6BB 1552 0B23 E40D 74D6 D6CF 60FD).
Nice one!
One thing I, as a developer of a tool that consumes the Hackage index[1], would like to see is a bit more meta data, in particular
- alternative download URLs for the source - hashes of the source (probably needs to be per URL)
I thought I saw something about this in the thread, but going through it again I can't seem to find it. Would this sort of thing also be included in "improvements to package hosting"?
/M
My strawman proposal did include the idea of identifying a package via its hash, and then providing redundant URLs for download (some of those URLs possibly being non-HTTP, such as a special URL to refer to contents within a Git repository). But as I keep saying, that was a strawman proposal, not to be taken as a final design. That said, simply adding that information to the 00-index file seems like an easy win. The hashes, at the very least, would fit in well. Michael