
2 Nov
2009
2 Nov
'09
11:37 a.m.
??????? ?????? wrote:
No no no! Why not download the normal (signed) cabal list from the DHT (and optionally directly from hackage.haskell.org)? These are all the packages that would appear on the website. Why serve any other content? All nodes in the DHT may check and make sure the file (or fragment) being served is properly signed.
Any desire for popularity or tagging capability should be separate.
Because single single hackage private key can be bruteforsed or stolen far easier than lots and lots keys of random people.
You only need to compromise one well-trusted key to compromise the system. Cheers, Jochem -- Jochem Berndsen | jochem@functor.nl | jochem@????.com