Ertugrul Söylemez
And that may even be more harmful, because an insecure system with a false sense of security is worse than an insecure system alone.
Yes. As is clear to all, the current low level of security means that nobody are _actually_ downloading stuff of Hackage, thank God. Hackage just exists for...well, I forget, but certainly not to distribute software. Right. Sarcasm aside, to some extent, this is true. I used to have a cron job 'cabal install'ing my packages off Hackage to ensure that they would compile with the current offering of their dependencies. But I decided it was way too risky, and don't do it anymore.
Let's do it properly.
You mean like how it was decisively dealt with when this was discussed in 2008? https://github.com/haskell/cabal/issues/207 Or maybe more the way it was firmly handled when it was brought up again in 2010? http://www.haskell.org/pipermail/haskell-cafe/2010-December/087050.html This looks increasingly like that time of year when the problem is pointed out, the crypto geeks get together to construct the Optimal Solution, and then everybody lose interest and move on to greener pastures for a while. Well, I don't think the perfect solution exists, and even if it could be identified, it might not be implemented, and even if were implemented, it might not be used. We've just been incredibly lucky that nothing really bad has happened so far. Let's hope it lasts. -k -- If I haven't seen further, it is by standing in the footprints of giants