Isaac Jones
1) Generate a gnupg key. 2) use cabal-put to sign and upload a package 3) cabal-get can then be used to download and install as before, but first it checks the signatures of all the packages.
What do folks think of that?
Personally, I think it sounds good. Security is becoming ever more important, and the Haskell community is growing, thereby increasing the currently remote possibility of deliberate malware. Since installation via hackage will be both automatic, and often performed with root access, it is essential to have a good security model from the beginning. The one you propose seems to have a low overhead, after the initial barrier of establishing trust. Having said all that, I don't know the first thing about gnupg, or how to go about signing keys or anything like that. I imagine that for people in remote locations, bootstrapping into the web of trust might be significantly more of a barrier than they would like. Regards, Malcolm