Bulat Ziganshin
Hello Isaac,
Tuesday, May 10, 2005, 9:21:15 PM, you wrote:
IJ> I'm working with Lemmih on the designs for Hackage and Cabal-Get. IJ> He's a real trooper, since I'm a total "customer" and have hardly IJ> written a line of code for these tools, but keep coming up with new IJ> requirements.
how about taking Perl's CPAN and Ruby's Yaraa for a model?
We have, to some extent, and also Debian's model. (snip)
IJ> This actually already works :)
i think, that many packages authors will prefer to hold archives on their own sites. and imho hackage must provide ability to just send description (package.cabal) to main site, in this case this file must include exact url to download full package. also .cabal file must include "home page" of package and email address of author
This is already actually implemented, but disabled. I think it's best to keep the packages on the Hackage site, at least at first, that way we can guarentee that they will be available, (especially for package dependencies), that the packager hasn't altered them without altering the verison number (requiring rebuilds of other packages), stuff like that. Cabal already has the fields that you are asking for. We'll see how people use things and update our ideas accordingly. Also, the client can work with multiple servers.
IJ> The big problem actually is that this is in no way secure, and just IJ> begging to be exploited. Boo.
imho best way to deal with this problem is "reserving" package names with password. after that, to change any information belonging to package, password must be supplied
So we're basically "reserving" package names with keys instead of passwords.
IJ> 1) Generate a gnupg key. preferably get it signed by someone in my web IJ> of trust (I'll try to organize a keysigning party at ICFP).
yes, yes, we can also use our personal FBI numbers. anyway, someone not working in FBI can't be a good Haskeller :)
Are you saying that crypto-signing is overkill? If so, I would have to disagree, since many people will want to install packages as root. I personally don't want to ask people to trust the good will of the entire internet. peace, isaac