IMHO Hackage and Cabal should support package signing even if they
aren't package managers.
On Wed, Jan 30, 2013 at 6:59 PM, Joachim Breitner
Hi,
Am Mittwoch, den 30.01.2013, 11:27 -0800 schrieb Edward Z. Yang:
https://status.heroku.com/incidents/489
Unsigned Hackage packages are a ticking time bomb.
another reason why Cabal is no package manager¹.
(Ok, I admit that I don’t review every line of diff between the Haskell packages I uploads. But thanks to http://hdiff.luite.com/ I at least glance over them most of the time – a hurdle that malicious code would have to take. And once a package has entered a distribution like Debian (which it only can with a valid cryptographic signatures), checksums and signatures are used in many places to (mostly) guarantee that the package reaches the user unmodified.)
Greetings, Joachim
¹ http://ivanmiljenovic.wordpress.com/2010/03/15/repeat-after-me-cabal-is-not-...
-- Joachim "nomeata" Breitner Debian Developer nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
-- Felipe.