I don't have time to respond point-for-point, but I'll just outline where Alex has once again grossly mis-characterized things. A lot of what he says about the advantages of SSL over GPG are only true insofar as SSL does not solve these problems at all. Also, Hackage is coupled with a tool called cabal-get which actually does the installation onto the end-user's machine, so his characterization of Hackage as simply a package database is also incorrect (HackageDB is the database part.) His assertion that no one uses codesigning is also incorrect. Is used very successfully in the Debian GNU/Linux system for a nearly identical problem. Debian is renowned for its packaging solutions. The difficulties with using GPG can be simplified by writing wrapper tools. That has been the plan all along. The web of trust will _not_ prevent people who don't know SimonPJ from distributing libraries, everyone will be able to distribute libraries. I hope by now people learn to take Alex's bold assertions with a grain of salt. I wouldn't keep following up to these emails except that folks keep asking me personally if he's right. I don't know if I have time to continue pointing out exactly where his mis-characterizations lie, but I hope that doesn't mean that he will take away our mindshare by speaking untruths about our tools. peace, isaac