Re: [Haskell-cafe] Improvements to package hosting and security

17 Apr 2015

      On 17 April 2015 at 05:25, Michael Snoyman  wrote:
...
On Fri, Apr 17, 2015 at 1:01 AM Magnus Therning  wrote:
...
On Thu, Apr 16, 2015 at 03:28:10PM +0000, Michael Snoyman wrote:
...
Minor update. Some of your points about checking signatures before
unpacking made me curious about what Git had to offer in these
circumstances. For those like me who were unaware of the
functionality, it turns out that Git has the option to reject
non-signed commits, just run:
git pull --verify-signatures
I've set up the Travis job that pulls from Hackage to sign its
commits with the GPG key I've attached to this email (fingerprint
E595 AD42 14AF A6BB 1552  0B23 E40D 74D6 D6CF 60FD).
Nice one!
One thing I, as a developer of a tool that consumes the Hackage
index[1], would like to see is a bit more meta data, in particular
- alternative download URLs for the source
- hashes of the source (probably needs to be per URL)
I thought I saw something about this in the thread, but going through
it again I can't seem to find it.  Would this sort of thing also be
included in "improvements to package hosting"?
/M
[1]: http://hackage.haskell.org/package/cblrepo
My strawman proposal did include the idea of identifying a package via its
hash, and then providing redundant URLs for download (some of those URLs
possibly being non-HTTP, such as a special URL to refer to contents within a
Git repository). But as I keep saying, that was a strawman proposal, not to
be taken as a final design.
That said, simply adding that information to the 00-index file seems like an
easy win. The hashes, at the very least, would fit in well.
I knew I'd seen it somewhere :)

Yes, the addition of more meta data is an easy win and can be done
before the dust has settled on the issue of how to achieve trust :)

One thing I personally think is nice with OCaml's opam is that its
package database is in a git repo (on github) and that adding packages
is a matter of submitting a patch.  I'd very much like to see a future
where I can get a package onto Hackage by

1. cloning the Hackage package git repo
2. add and commit a .cabal file and meta data about where my package
can be found, e.g. something like

        url="GIT=http://github/myname/mypkg.git;TAG=v1.0.2"
        sha512="..."

3. submit a pull request

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus