On Thu, Dec 09, 2010 at 10:45:39PM +1100, Ivan Lazar Miljenovic wrote: > On 9 December 2010 20:55, Vincent Hanquez <t...@snarc.org> wrote: > > > > You might have misunderstood what I was talking about. I'm proposing signing > > on the hackage server on reception of the package, > > where it can be verified by cabal that the package hasn't been signed > > properly. > > By "cabal", are you referring to Cabal or cabal-install? If the > former, then I'm not sure how exactly it would do such verification > since it doesn't have any notion of the internet as far as I'm aware; > if the latter then it means absolutely nothing for those of us that do > not use cabal-install for most packages.
I don't really know the difference between Cabal and cabal-install, but Something is downloading the .tar.gz, and that thing can always download an extra .tar.gz.sign file which contains a way to verify that's the .tar.gz is genuinely the one that has been received by hackage. For those not using the thing-that-download-archive to get their package from hackage, they can build the same mechanism that download an extra file, and check the signature. Or they can even choose not to bother, and just download the package as they just did before. Note that, I'm not actually inventing anything new here, this is a common way to distribute software (linux distributions, many opensource softwares, etc). -- Vincent _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
