Hello Isaac, Wednesday, May 18, 2005, 8:07:04 PM, you wrote: IJ> If someone doesn't want to take part in the keysigning, they don't IJ> have to. The user will be warned that the authenticity of the package IJ> can't be verified. i think that author of the software make the decision whether it trust or don't trust package signed with home-made key. warning user about this is too-protective. another story is when package downloaded not as part of compile-some-big-app process, but by the programmer for his own use i think that to make my viewpoint more obvious, i must tell just about yourself. i have written several libs, and i don't know personally Simon PJ or Haskell Church, so noone can say that me is really me :) is that mean that my libs will be second-sort? :) next. i, the Joe Lucky, install the software, written by someone. it's really matter for me, that this software relies on packages written by trusted or untrusted authorities? next. i don't know how to use gpg and don't want to know :) you say that security will get more important because number of Haskell users will grow. actually, creating complex security scheme is excellent way to solve this problem - number of Haskell users will just not grow because this scheme will be too complex. remember - when number of peoples grow, their average qualification are falls down i don't love to debate, but creating CPAN-like packages library is one of key steps to rising language popularity. and i definitely want that entrance ticket to this library will cost less than $50 ;) -- Best regards, Bulat mailto:bulatz@HotPOP.com