On 12/13/10 8:25 AM, Paul Sargent wrote:
How about, as a cheep and cheerful method to get up running. If the premise
is that the original server is trustworthy and the mirrors aren't, then:
1) Hash all packages on the original server.
2) Hash goes into a side car file (e.g.<packagename>.sha) that lives next
to the package
I still contend that we shouldn't have to trust the central server
either. The hash can be created alongside the sdist on the maintainer's
computer, and then both are uploaded to central. Thus, the maintainer
can verify that the hash on central matches their own, which ensures that:
(a) the hash that central has is trustworthy
(b) no man-in-the-middle corrupted the sending of the hash to central
These concerns are separate from using the hash to confirm the
consistency of the sdist itself. Remember: metadata can be compromised
just as easily as data. And the fewer machines we have to trust, the
better. Moreover, this approach requires the same amount of
implementation work as getting central to make the hashes.
--
Live well,
~wren
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
