On Fri, Feb 01, 2013 at 01:07:33PM +0100, Christopher Done wrote:
Hey dude, it looks like we made the same project yesterday:
http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_pac...
Yours is nice as it doesn't depend on GPG. Although that could be a nice thing because GPG manages keys. Dunno.
Another diff is that mine puts the .sig inside the .tar.gz, yours puts it separate.
Nice to see a productive discussion on this. /me really need to read reddit more :) Couple of details, no the signature is going inside the tarball too. the signature process happens during the sdisting after building the manifest. My reason for doing is, which i suspect similar to yours, is that I don't need to modify hackage this way and the uploading stays the same. Also in my case, cabal-signature is called by cabal, not by the user. I can't see this effort working without forcing everyone to use it (transparently in the background) For gpg, i don't know what's the right answer. One on hand it's solving all the problems related to this already, but on the other portability issue. I was thinking maybe one way to verify the key that i use for signing, would be to tie it to a personal gpg key (by signing the key with a gpg key) to benefit from all the facilities that gpg provides. It would provide a cheap way to switch model later, without being tied to a gpg signing process. -- Vincent