At the Haskell Implementor's Workshop at ICFP, Duncan gave a talk on the work on security and package infrastructure that has been going on: https://www.youtube.com/watch?v=D9juHHlnayI One element of that, which was turned over the committee to figure out is who our actual roots of trust would be, in the same sense that there are root certificates for TLS and https authentication, etc. at the Haskell Symposium itself, I gave a quick lightning talk on the work the committee had done in this regard: https://www.youtube.com/watch?v=U8ISiSXV2c0 (If you are interested in verifying your communications with Duncan by the way, and if you trust the video is undoctored, then his GPG key fingerprint appears on it, which may be of some use.) We did in fact get some keysigning done at the conference, and we also secured a fair number of keys from the roots of trust we co-ordinated, though some followup work remains to be done there. We certainly already have enough in hand to bootstrap the process as the hackage security work gets fully rolled out. One related discussion we started to have was if we might want to do haskell community funding for "phase two" of the update framework rollout, as discussed in Duncan's talk -- that phase where we not only implement server trust and signing, but also author signing. Apropos of nothing, but a related thought/question I had was if there would be interest in making cabal files themselves more potentially secure in the manner of the LIO / HLIO work [1]. Having a better chain of trust seems to somewhat obviate the need here, but it does seem like something worth considering. Similar mechanisms might also be worth integrating into template haskell IO for that matter. However, one concern is that the worth of these approaches depends in part on good SafeHaskell takeup, which has a whole bunch of obstacles in itself :-) Cheers, Gershom [1] http://www.cse.chalmers.se/~russo/publications_files/hybrid-icfp2015.pdf and https://hackage.haskell.org/package/lio-0.11.5.0 and http://www.scs.stanford.edu/~deian/pubs/stefan:2014:building-haskell.pdf