Excerpts from Joachim Breitner's message of Wed Jan 30 14:57:28 -0800 2013:
I’m not against cryptographically signed packages on hackage. In fact, I would whole-heatedly appreciate it, as it would make my work as a package maintainer easier.
I was taking the opportunity to point out an advantage of established package management systems, to shamelessly advertise my work there, as not everyone sees distro-packaged libraries as a useful thing.
Yes. In fact, I am a sysadmin for a large shared hosting environment, and the fact that programming language libraries tend not to be distro-packaged is an endless headache for us. We would like it if everything were just packaged properly! On the other hand, working in these circumstances has made me realize that there is a huge tension between the goals of package library authors and distribution managers (a package library author is desires ease of installation of their packages, keeping everyone up-to-date as possible and tends to be selfish when it comes to the rest of the ecosystem, whereas the distribution manager values stability, security, and global consistency of the ecosystem.) So there is a lot of work to be done here. Nevertheless, I believe we are in violent agreement that cryptographically signed Hackage packages should happen as soon as possible! Edward