On Thu, 2012-04-19 at 11:12 -0400, Ryan Newton wrote:
Hello all,
Right now I'm trying to answer a simple question:
* Would the current Haskell.org / hackage infrastructure benefit
from the donation of a dedicated VM with good
bandwidth/uptime?
Whoever already knows
There's two options I think:
1. a machine for the central hackage server,
2. a machine for doing package builds
The former will require more organisation, partly because we need the
haskell.org people to have some degree of control over the system. The
latter is easier because the
I wonder if this could get to the point where it could be done
seti-at-home style, farmed out via a VM image. That is people would run
the image to provide resources (and geographic distribution) to the build
server cloud. Maybe they get a fast local mirror as a reward.
If it were every
Hello all,
Right now I'm trying to answer a simple question:
- Would the current Haskell.org / hackage infrastructure benefit from
the donation of a dedicated VM with good bandwidth/uptime?
Whoever already knows how to do this could configure it.
In trying to answer the above question I
Hi,
On Thu, Apr 19, 2012 at 5:12 PM, Ryan Newton rrnew...@gmail.com wrote:
- Would the current Haskell.org / hackage infrastructure benefit from
the donation of a dedicated VM with good bandwidth/uptime?
I can think about at the very least one project (the one you mention
below) that
On 19 April 2012 08:12, Ryan Newton rrnew...@gmail.com wrote:
Hello all,
Right now I'm trying to answer a simple question:
Would the current Haskell.org / hackage infrastructure benefit from the
donation of a dedicated VM with good bandwidth/uptime?
Whoever already knows how to do this
Oh yes, it's hackage2... not hackage1.
On 19 April 2012 11:50, David Terei dave.te...@gmail.com wrote:
On 19 April 2012 08:12, Ryan Newton rrnew...@gmail.com wrote:
Hello all,
Right now I'm trying to answer a simple question:
Would the current Haskell.org / hackage infrastructure benefit
The reason for mirror was avilability, yes, and when the signatures were
only on the central sever, then the user could choose not to install
packages from mirrors, when they were not available.
But now if the signatures were generated by the uploader, then the morrors
would be just as secure as
On Sat, Dec 11, 2010 at 19:51, Brandon S Allbery KF8NH
allb...@ece.cmu.eduwrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/9/10 16:04 , Richard O'Keefe wrote:
I thought X is a mirror of Y meant X would be a read-only replica of Y,
with some sort of protocol between X and Y to
On 12/13/10 8:25 AM, Paul Sargent wrote:
How about, as a cheep and cheerful method to get up running. If the premise
is that the original server is trustworthy and the mirrors aren't, then:
1) Hash all packages on the original server.
2) Hash goes into a side car file (e.g.packagename.sha) that
On 14/12/2010, at 2:25 AM, Paul Sargent wrote:
On Sat, Dec 11, 2010 at 19:51, Brandon S Allbery KF8NH allb...@ece.cmu.edu
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/9/10 16:04 , Richard O'Keefe wrote:
I thought X is a mirror of Y meant X would be a read-only replica
On Dec 13, 2010, at 6:15 PM, wren ng thornton w...@freegeek.org wrote:
On 12/13/10 8:25 AM, Paul Sargent wrote:
How about, as a cheep and cheerful method to get up running. If the premise
is that the original server is trustworthy and the mirrors aren't, then:
1) Hash all packages on the
On 12/9/10 4:04 PM, Richard O'Keefe wrote:
On 10/12/2010, at 12:18 AM, Markus Läll wrote:
My take on the issue is that we should make it possible to easily mirror
hackage (what the OP asked for), so that people could use it when they wanted
to, and have a list of the mirrors on the wiki.
On 12/11/10 5:59 AM, wren ng thornton wrote:
On 12/9/10 4:04 PM, Richard O'Keefe wrote:
As long as the material from Y replicated at X is *supposed* to be
publicly available, I don't see a security problem here. Only Y accepts
updates from outside, and it continues to do whatever authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/9/10 16:04 , Richard O'Keefe wrote:
I thought X is a mirror of Y meant X would be a read-only replica of Y,
with some sort of protocol between X and Y to keep X up to date.
As long as the material from Y replicated at X is *supposed* to be
On 08/12/10 20:25, Luke Palmer wrote:
I could upload a new version of mtl if I wanted. Plenty of people
would install it.
Correct me if i'm wrong; You would appear in the UploadedBy, and then
you might be challenged by the traditional uploaders or attentive users
(most users wouldn't know
On 08/12/10 10:41, Ketil Malde wrote:
Yes. And you should start with assessing how much cost and
inconvenience you are willing to suffer for the improvement in
security you gain. In this case, my assertion is that the marginal
worsening of security by having a mirror of hackage even without
My take on the issue is that we should make it possible to easily mirror
hackage (what the OP asked for), so that people could use it when they
wanted to, and have a list of the mirrors on the wiki. This way those who
are interested can use them. Like when the mirror is faster/closer to them
or to
On 9 December 2010 20:55, Vincent Hanquez t...@snarc.org wrote:
You might have misunderstood what I was talking about. I'm proposing signing
on the hackage server on reception of the package,
where it can be verified by cabal that the package hasn't been signed
properly.
By cabal, are you
On Thu, Dec 09, 2010 at 10:45:39PM +1100, Ivan Lazar Miljenovic wrote:
On 9 December 2010 20:55, Vincent Hanquez t...@snarc.org wrote:
You might have misunderstood what I was talking about. I'm proposing signing
on the hackage server on reception of the package,
where it can be verified
On 10/12/2010, at 12:18 AM, Markus Läll wrote:
My take on the issue is that we should make it possible to easily mirror
hackage (what the OP asked for), so that people could use it when they wanted
to, and have a list of the mirrors on the wiki. This way those who are
interested can use
Richard O'Keefe o...@cs.otago.ac.nz wrote:
I thought X is a mirror of Y meant X would be a read-only replica of Y,
with some sort of protocol between X and Y to keep X up to date.
As long as the material from Y replicated at X is *supposed* to be
publicly available, I don't see a security
On Thu, Dec 9, 2010 at 11:04 PM, Richard O'Keefe o...@cs.otago.ac.nz wrote:
On 10/12/2010, at 12:18 AM, Markus Läll wrote:
My take on the issue is that we should make it possible to easily mirror
hackage (what the OP asked for), so that people could use it when they
wanted to, and have a
On 9 December 2010 21:04, Richard O'Keefe o...@cs.otago.ac.nz wrote:
On 10/12/2010, at 12:18 AM, Markus Läll wrote:
My take on the issue is that we should make it possible to easily mirror
hackage (what the OP asked for), so that people could use it when they
wanted to, and have a list of
On 10/12/2010, at 10:50 AM, Riad S. Wahby wrote:
Richard O'Keefe o...@cs.otago.ac.nz wrote:
I thought X is a mirror of Y meant X would be a read-only replica of Y,
with some sort of protocol between X and Y to keep X up to date.
As long as the material from Y replicated at X is *supposed* to
Darrin Chandler dwchand...@stilyagin.com writes:
It's not obvious to me that adding a mirror makes the infrastructure
more more insecure. Any particular concerns? (I hope I qualify as
naïve here :-)
If you run a mirror people will come to you for software to run on their
machines. I see a
On 08/12/10 08:13, Ketil Malde wrote:
My apologies for not expressing myself more clearly. What I mean is
that currently, Hackage has a ton of users, each of whom may at whim
upload a new version of any library. It's not clear to me that security
is significantly worsened by adding a mirror.
Vincent Hanquez t...@snarc.org writes:
You have to start somewhere with security.
Yes. And you should start with assessing how much cost and
inconvenience you are willing to suffer for the improvement in
security you gain. In this case, my assertion is that the marginal
worsening of security
On Wed, Dec 08, 2010 at 11:41:31AM +0100, Ketil Malde wrote:
Vincent Hanquez t...@snarc.org writes:
You have to start somewhere with security.
Yes. And you should start with assessing how much cost and
inconvenience you are willing to suffer for the improvement in
security you gain. In
On Wed, Dec 8, 2010 at 5:41 AM, Ketil Malde ke...@malde.org wrote:
I'm a bit surprised to find that there seems to be a lot of opposition
to this view, but perhaps the existing structure is more secure than I
thought?
The difference is in the ability to influence other packages and
metadata, I
On Wed, Dec 8, 2010 at 8:29 AM, C. McCann c...@uptoisomorphism.net wrote:
On Wed, Dec 8, 2010 at 5:41 AM, Ketil Malde ke...@malde.org wrote:
I'm a bit surprised to find that there seems to be a lot of opposition
to this view, but perhaps the existing structure is more secure than I
thought?
Dan Knapp dan...@gmail.com writes:
I agree that signed packages are a good idea. We should move with all
haste to implement them. But I'm not sure we want to hold up
everything else while we wait for that.
IMO, mirroring is orthogonal to that, too.
That's also my take on a peer-peer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/7/10 08:07 , Ketil Malde wrote:
Dan Knapp dan...@gmail.com writes:
I agree that signed packages are a good idea. We should move with all
haste to implement them. But I'm not sure we want to hold up
everything else while we wait for that.
On 4 December 2010 16:31, Dan Knapp dan...@gmail.com wrote:
With Hackage down, now seemed like a good time to push this issue
again. It's such an important site to us that it's really rather a
shame there are no mirrors of it. I have a personal-and-business
server in a data center in Newark,
Brandon S Allbery KF8NH allb...@ece.cmu.edu writes:
IMO, mirroring is orthogonal to that, too.
Only if you consider security a minor or non-issue.
What I mean is that you can mirror a repository regardless of whether
packages are signed or not.
I'm tempted to say anyone who believes that
On Tue, Dec 07, 2010 at 11:04:04PM +0100, Ketil Malde wrote:
It's not obvious to me that adding a mirror makes the infrastructure
more more insecure. Any particular concerns? (I hope I qualify as
naïve here :-)
If you run a mirror people will come to you for software to run on their
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/7/10 18:53 , Darrin Chandler wrote:
On Tue, Dec 07, 2010 at 11:04:04PM +0100, Ketil Malde wrote:
It's not obvious to me that adding a mirror makes the infrastructure
more more insecure. Any particular concerns? (I hope I qualify as
naïve
On 12/6/10 2:35 AM, Vincent Hanquez wrote:
I would really like mirrors too.
But before that happens it would be nice to have signed packages on
Hackage, preventing
a mirror to distribute compromised stuff (intentionally or
unintentionally).
+1.
This should be done during sdist, before
Wow, this thread got long. Good! I'm hopeful that we can take some
action now. :)
My views on the issues that have been raised -
The Haskell steering committee is a good thing and I fully support
them. I also support the current maintainer of the site; I don't want
to take over or anything,
On 5 December 2010 18:41, Florian Lengyel florian.leng...@gmail.com wrote:
Why is there even any consideration of some committee if someone wants to
mirror the Hackage site? Why not mirror the site?
Presumably to make it an official mirror, and possibly due to the
licenses of some content on
On 12/4/10 10:34 PM, wren ng thornton wrote:
FWIW, I've been on the board of directors for a 501(c)(3), helped write
their bylaws, and know a few people in the business (lawyers, etc). I'm
willing to offer advice, effort, and references whenever the committee
decides to do this.
I tried cc-ing
Florian Lengyel florian.leng...@gmail.com writes:
Why is there even any consideration of some committee if someone wants to
mirror the Hackage site? Why not mirror the site?
+1
Alright, Mr. Wiseguy, she said, if you're so clever, you tell us
what colour it should be.
We can either let
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/5/10 02:41 , Florian Lengyel wrote:
Why is there even any consideration of some committee if someone wants to
mirror the Hackage site? Why not mirror the site?
Because it would be nice to have a mirror run by someone (a) accountable (b)
who
On 12/5/10 11:23 AM, Ketil Malde wrote:
Florian Lengyelflorian.leng...@gmail.com writes:
Why is there even any consideration of some committee if someone wants to
mirror the Hackage site? Why not mirror the site?
+1
Alright, Mr. Wiseguy, she said, if you're so clever, you tell us
I would really like mirrors too.
But before that happens it would be nice to have signed packages on
Hackage, preventing
a mirror to distribute compromised stuff (intentionally or unintentionally).
--
Vincent
___
Haskell-Cafe mailing list
I am no decision maker regarding Hackage, but I would like to echo my
support for this offer. Hackage is a vital part of my workflow, and I'm
sure I'm not the only one. Its importance to the Haskell community has
grown quickly and is continuing to do so. Each time it goes down, the
impact is
This is a very generous offer. However, I must say I like the following idea
more:
http://www.reddit.com/r/haskell/comments/efw38/reminder_hackagehaskellorg_outage_tomorrow_due_to/c17u7nk
On 4 December 2010 16:31, Dan Knapp dan...@gmail.com wrote:
With Hackage down, now seemed like a good time
Ozgur Akgun ozgurak...@gmail.com wrote:
This is a very generous offer. However, I must say I like the following idea
more:
http://www.reddit.com/r/haskell/comments/efw38/
reminder_hackagehaskellorg_outage_tomorrow_due_to/c17u7nk
I'd support this, but I'm strongly in favor of the use of
On 12/4/10 11:31 AM, Dan Knapp wrote:
With Hackage down, now seemed like a good time to push this issue
again. It's such an important site to us that it's really rather a
shame there are no mirrors of it. I have a personal-and-business
server in a data center in Newark, with a fair chunk of
On 12/4/10 2:21 PM, Riad S. Wahby wrote:
Ozgur Akgunozgurak...@gmail.com wrote:
This is a very generous offer. However, I must say I like the following idea
more:
http://www.reddit.com/r/haskell/comments/efw38/
reminder_hackagehaskellorg_outage_tomorrow_due_to/c17u7nk
That sounds like a
wren ng thornton w...@freegeek.org wrote:
Semantic Parse Fail: did you mean the latter or strongly opposed to?
s/former/latter/
:)
-=rsw
___
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Why is there even any consideration of some committee if someone wants to
mirror the Hackage site? Why not mirror the site?
___
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
52 matches
Mail list logo