Bulat Ziganshin
Hello Isaac,
Wednesday, May 18, 2005, 8:07:04 PM, you wrote:
IJ> If someone doesn't want to take part in the keysigning, they don't IJ> have to. The user will be warned that the authenticity of the package IJ> can't be verified.
i think that author of the software make the decision whether it trust or don't trust package signed with home-made key. warning user about this is too-protective. another story is when package downloaded not as part of compile-some-big-app process, but by the programmer for his own use
The author can't decide whether the end-user should trust the author.
i think that to make my viewpoint more obvious, i must tell just about yourself. i have written several libs, and i don't know personally Simon PJ or Haskell Church, so noone can say that me is really me :)
is that mean that my libs will be second-sort? :)
next. i, the Joe Lucky, install the software, written by someone. it's really matter for me, that this software relies on packages written by trusted or untrusted authorities?
I can't quite figure out what you're saying here, but the point is that the end-user gets to decide who they trust. If they don't mind installing packages from a so-called "untrusted" source, then no big deal. Most people probably don't mind; those people may or may not eventually be compromised by trusting random stuff downloaded from the internet.
next. i don't know how to use gpg and don't want to know :) you say that security will get more important because number of Haskell users will grow. actually, creating complex security scheme is excellent way to solve this problem - number of Haskell users will just not grow because this scheme will be too complex. remember - when number of peoples grow, their average qualification are falls down
We intend to make the tools easy to use.
i don't love to debate, but creating CPAN-like packages library is one of key steps to rising language popularity. and i definitely want that entrance ticket to this library will cost less than $50 ;)
I tried to make clear that Alexander Jacobson's SSL proposal is completely different from the Hackage security proposal. The hackage security proposal doesn't cost any money. peace, isaac