Vincent Hanquez <t...@snarc.org> writes: > You might have misunderstood what I was talking about. I'm proposing > signing on the hackage server on reception of the package,
Okay, fair enough. You can't *enforce* this, of course, since I might work without general internet access but a local mirror, but you could require me to run 'cabal --dont-check-signatures' or similar, so this would still make a hostile-operated mirror less useful. OTOH, if I should suggest improving the security of Hackage, I would prioritize: a) email the maintainer whenever a new upload is accepted - preferably with a notice about whether the build works or fails. Mabye also highlight the case when maintainer differs from uploader - if that doesn't give a ton of false positives. b) email the *previous* maintainer when a new upload is accepted and the maintainer field has changed. This way, somebody is likely to actually *notice* when some evil person uploads a trojan mtl or bytestring or whatever. The downside is more mail, and the people who run Hackage have been wary about this. So perhaps even this is on the wrong side of the cost/benefit fence. (People with admin privileges (staff or hackers) to hackage can of course still work around everything - crypto signatures or email-schemes.) -k -- If I haven't seen further, it is by standing in the footprints of giants _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe