Vincent Hanquez
That was exactly my suggestion actually. It requires the ability to make and check signatures. The making can be done with external tools like GnuPG, but the checking has to be done by cabal-install. To detect changed keys there also needs to be a trust database, which can be a simple directory in ~/.cabal/ where files are named after the fingerprint of the key it contains.
The most important part is a sensible user interface. The whole process should be invisible to the user, until there is a signature error. The first installation of a package will actually generate a handful of signature errors, because the keys are not known yet.
This shouldn't be too hard to implement and requires only a small change to Hackage and cabal-install's upload command to begin.
That's not a proper solution, and definitively in the warm fuzzy feeling department.
What if you install a package for the first time and this package has just been re-uploaded maliciously with a different key and a payload ? What if you're relying on hackage mirrors, what stop this mirror to regenerate all signatures with a new key ?
It also make maintainers change difficult, and doing genuine non-maintainer upload.
See the last point of my post. The last step is to implement proper web
of trust functionality, so that some keys can be declared to be signing
keys. Then a set of trusted keys can be shipped together with
cabal-install.
That step is optional, because at least now I can fetch developer keys
by other means like a key server.
According to my solution Cabal warns for new and changed keys and asks
whether to trust them showing a fingerprint.
Greets,
Ertugrul
--
Key-ID: E5DD8D11 "Ertugrul Soeylemez