On Wed, Dec 08, 2010 at 11:41:31AM +0100, Ketil Malde wrote: > Vincent Hanquez <t...@snarc.org> writes: > > > You have to start somewhere with security. > > Yes. And you should start with assessing how much cost and > inconvenience you are willing to suffer for the improvement in > security you gain. In this case, my assertion is that the marginal > worsening of security by having a mirror of hackage even without signing > of packages etc., is less than the marginal improvement in usability. > > I'm a bit surprised to find that there seems to be a lot of opposition > to this view, but perhaps the existing structure is more secure than I > thought? Or the benefit of a mirror is exaggerated - I can see how > it would be annoying to have hackage down, but it hasn't happened to my, > so perhaps those complaining about it just were very unlucky.
Having one glaring security problem is not a good reason to introduce another one. It just makes more to fix. As for mirroring, I'm all in favor of any random user doing a mirror. The only place I see a problem is making those "official" mirrors. If you were to mirror and announce that you had one then I can trust you or not. There are some people I would trust to have valid mirrors. Darrin _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe