On Wed, 18 May 2005, Isaac Jones wrote:
Also, Hackage is coupled with a tool called cabal-get which actually does the installation onto the end-user's machine, so his characterization of Hackage as simply a package database is also incorrect (HackageDB is the database part.)
Perhaps, I wasn't clear. To me the most valuable thing about Hackage is that it provides a directory of already implemented functionality that developers may want to use. I was silent about cabal-get because I don't think users who are not building packages should ever have to worry about dealing with package names. SearchPath is intended to eventually abstract out the whole notion of package names. It looks at all the imported module in the modules you are passing to GHC, finds implementations for them on the Internet and downloads/installs them if necessary all without the user having even to think about package names. Note: right now it handles darcs/svn repositories but not packages. I hope to add package functionality soon (perhaps using cabal-get for implemenation!)
His assertion that no one uses codesigning is also incorrect. Is used very successfully in the Debian GNU/Linux system for a nearly identical problem. Debian is renowned for its packaging solutions.
Actually, the Debian model maps more closely to signing module maps than it does to signing packages. Or more particularly, Debian provides you with no help in validating any package not part of a release. Moreover, as I noted in my prior message, the Debian model is particularly irrelevant to the operation of Hackage's role in reliably mapping package names to URLs.
The difficulties with using GPG can be simplified by writing wrapper tools. That has been the plan all along.
That doesn't change the fact that it forces users to attend key-signing parties. Note that Debian in fact relies on key signing parties.
I hope by now people learn to take Alex's bold assertions with a grain of salt. I wouldn't keep following up to these emails except that folks keep asking me personally if he's right. I don't know if I have time to continue pointing out exactly where his mis-characterizations lie, but I hope that doesn't mean that he will take away our mindshare by speaking untruths about our tools.
Isaac, I thought the goal here was to improve things for the Haskell community not to build midnshare for a set of tools. Personally, I hope that Hackage succeeds and does for Haskell what CPAN does for Perl. Getting all defensive about "our tools" is just unhelpful. -Alex- ______________________________________________________________ S. Alexander Jacobson tel:917-770-6565 http://alexjacobson.com