Peter Simons
2. How do I get a trusted key given I am not likely to meet anybody "trusted" in the near future?
Unfortunately, that is impossible. Your best bet is to have everybody sign everybody else's key at every possible opportunity, and that still won't mean that the key Joe Doe downloaded from the Internet will be for real.
For now, I'm thinking that a "trusted key", from Hackage's perspective, will be a that has a path, which I trust, from me to the keyholder. In particular, in the short term at least, I'm hoping that folks in Debian will be willing to sign Haskell users' keys. This is convenient since Debian Developers are scattered all over the world. There may even be one near you ;) To me, this is a high-enough bar. If anyone disagrees strongly with that, let me know, but please also suggest a solution. Why me? Because I have physical access to the box that Hackage will live on, and I have a good handful of trusted keys. (snip)
3. What constitutes a "trusted" key?
There are no trusted keys. The decision of whether to trust a key or not _must_ be made by the person who downloads the package -- the user. Nobody else can make that decision for him.
Right. Hackage will sign packages which are signed by keys that it trusts, and cabal-get will come with a hackage public key. I suppose cabal-get should ask whether or not to trust the hackage key by default upon installation. BTW, if anyone wants to help hack on this, let me know :) peace, isaac