Re: hackage, cabal-get, and security

Malcolm Wallace writes:

Isaac Jones writes:

...

1) Generate a gnupg key. 2) use cabal-put to sign and upload a package 3) cabal-get can then be used to download and install as before, but first it checks the signatures of all the packages.

What do folks think of that?

Personally, I think it sounds good.

Cool.

Security is becoming ever more important, and the Haskell community is growing, thereby increasing the currently remote possibility of deliberate malware. Since installation via hackage will be both automatic, and often performed with root access, it is essential to have a good security model from the beginning.

Exactly :)

Having said all that, I don't know the first thing about gnupg, or how to go about signing keys or anything like that. I imagine that for people in remote locations, bootstrapping into the web of trust might be significantly more of a barrier than they would like.

Since we will actually accept packages without signatures, I think this isn't too bad of a problem. Users will get a warning if the key is untrusted, and asked if they want to continue. Hopefully this will present enough of a barrier for script-kiddies and an incentive for packagers to get their keys signed. Maybe the client should even reject untrusted packages and the end user would have to go and twiddle some configuration somewhere to even get the option to override it, that would encourage people to get their keys signed even more :) Is that too harsh? Occasionally we may have a problem with getting people into the keyring, but assuming we can bootstrap from Debian's well-established web of trust, this shouldn't be too bad. peace, isaac