Hi, Am Mittwoch, den 30.01.2013, 11:27 -0800 schrieb Edward Z. Yang:
https://status.heroku.com/incidents/489
Unsigned Hackage packages are a ticking time bomb.
another reason why Cabal is no package manager¹. (Ok, I admit that I don’t review every line of diff between the Haskell packages I uploads. But thanks to http://hdiff.luite.com/ I at least glance over them most of the time – a hurdle that malicious code would have to take. And once a package has entered a distribution like Debian (which it only can with a valid cryptographic signatures), checksums and signatures are used in many places to (mostly) guarantee that the package reaches the user unmodified.) Greetings, Joachim ¹ http://ivanmiljenovic.wordpress.com/2010/03/15/repeat-after-me-cabal-is-not-... -- Joachim "nomeata" Breitner Debian Developer nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata