On Thu, Apr 30, 2015 at 10:08 AM Jeremy wrote:

Mathieu Boespflug-4 wrote

...

We're not introducing dependencies on dynamically linked system libraries that makes tooling hard to distribute. We're not asking users to install anything new that isn't already a staple of most developer desktops

My sole concern with this is that git is often not present on build servers, which may be minimal cloud VMs. Here's what I get when I try to install git on mine:

# apt install git --no-install-recommends ... The following NEW packages will be installed: git git-man libcurl3-gnutls liberror-perl libexpat1 libgdbm3 perl perl-modules 0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded. Need to get 10.4 MB of archives. After this operation, 57.2 MB of additional disk space will be used.

Not unbearable, but not insignificant either.

One possible workflow[1] would be to have a dedicated system that uses Git and GPG to pull the current versions of all packages and verify signatures. That system could then create a snapshot of that information that could simply be downloaded by a build server. In fact, there could even be a public server available providing that functionality, with the caveat that- like today- you'd need to trust that server to not be compromised. I think this is what Mathieu was getting at when he said:

Further, users can still opt-out of signature verification if they want to.

Michael [1] And possible may be too weak a word, as I have an implementation pretty close to this already.

On 30/04/2015 08:08, Jeremy wrote:

Mathieu Boespflug-4 wrote

...

We're not introducing dependencies on dynamically linked system libraries that makes tooling hard to distribute. We're not asking users to install anything new that isn't already a staple of most developer desktops My sole concern with this is that git is often not present on build servers, which may be minimal cloud VMs. Here's what I get when I try to install git on mine:

# apt install git --no-install-recommends ... The following NEW packages will be installed: git git-man libcurl3-gnutls liberror-perl libexpat1 libgdbm3 perl perl-modules 0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded. Need to get 10.4 MB of archives. After this operation, 57.2 MB of additional disk space will be used.

I'm no fan of unnecessary bloat, but considering that typical Debian installation of ghc is +500MB (7.4) to +800M (7.10) (severely bloated by multiple almost copies of the same file), I'm not sure how relevant this is on a haskell build server. Plus, many people already uses git on build servers making a zero cost for most of us. -- Vincent

Ignore that, cosmic rays flipped some bits in my memory, server footprint is 418Mb (including cabal-install). -- View this message in context: http://haskell.1045720.n5.nabble.com/Improvements-to-package-hosting-and-sec... Sent from the Haskell - Haskell-Cafe mailing list archive at Nabble.com.