Thanks for such a detailed reply, Duncan. > I think optional GPG signatures is a good idea, and I think in principle > we would accept the patch. However it does have to be opt-in only: both > opt-in for authors signing, and opt-in for clients checking.
Okay. > However, as I've said, these two security measures are complementary, we > can have both. I can imagine a situation in which all packages are > signed by the server, but some important ones are also signed by the > authors, giving us a higher level of assurance of authenticity and > integrity for those packages. Indeed. > So yes, you're welcome to help with either GPG signing or this > alternative scheme, whichever you'd prefer to hack on. I intend to hack on the former. I’ll be sending progress reports, questions, and so forth to this list, so stay tuned. If anyone wants to collaborate, don’t hesitate to contact me.
pgpiVhjC6HWsz.pgp
Description: PGP signature
_______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel
