On Fri, Apr 17, 2015 at 1:01 AM Magnus Therning <
magnus@therning.org> wrote:
On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
> Minor update. Some of your points about checking signatures before
> unpacking made me curious about what Git had to offer in these
> circumstances. For those like me who were unaware of the
> functionality, it turns out that Git has the option to reject
> non-signed commits, just run:
>
> git pull --verify-signatures
>
> I've set up the Travis job that pulls from Hackage to sign its
> commits with the GPG key I've attached to this email (fingerprint
> E595 AD42 14AF A6BB 1552 0B23 E40D 74D6 D6CF 60FD).
Nice one!
One thing I, as a developer of a tool that consumes the Hackage
index[1], would like to see is a bit more meta data, in particular
- alternative download URLs for the source
- hashes of the source (probably needs to be per URL)
I thought I saw something about this in the thread, but going through
it again I can't seem to find it. Would this sort of thing also be
included in "improvements to package hosting"?
/M
[1]: http://hackage.haskell.org/package/cblrepo
My strawman proposal did include the idea of identifying a package via its hash, and then providing redundant URLs for download (some of those URLs possibly being non-HTTP, such as a special URL to refer to contents within a Git repository). But as I keep saying, that was a strawman proposal, not to be taken as a final design.
That said, simply adding that information to the 00-index file seems like an easy win. The hashes, at the very least, would fit in well.
Michael