Hey dude, it looks like we made the same project yesterday:
http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_pac...
Yours is nice as it doesn't depend on GPG. Although that could be a
nice thing because GPG manages keys. Dunno.
Another diff is that mine puts the .sig inside the .tar.gz, yours puts
it separate.
=)
On 31 January 2013 09:11, Vincent Hanquez
On 01/30/2013 07:27 PM, Edward Z. Yang wrote:
https://status.heroku.com/incidents/489
Unsigned Hackage packages are a ticking time bomb.
I agree this is terrible, I've started working on this, but this is quite a bit of work and other priorities always pop up.
https://github.com/vincenthz/cabal https://github.com/vincenthz/cabal-signature
My current implementation generate a manifest during sdist'ing in cabal, and have cabal-signature called by cabal on the manifest to create a manifest.sign.
The main issue i'm facing is how to create a Web of Trust for doing all the public verification bits.
-- Vincent
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe