> If a package is signed, the maintainers have the permission to sign. If > it’s necessary to add a maintainer, the uploader lists a username in a > file, signs it, and uploads. (Is there a better way to achieve the same > thing?) The server checks the signature, parses the file, and adds the > usernames to the maintainers group.
> Since it’s important to sign the file locally, there should be a > convenience tool allowing to select the usernames. This is too complicated and has some drawbacks. I’m currently working on the following: 1. It should be possible to upload a signature while uploading a package. The server must check that the signature corresponds to the uploader’s key. 2. If it’s necessary to add a new maintainer, the initial uploader must sign the public key of the said maintainer. (This will be checked by cabal-install.) For ‘cabal-install’: 1. A warning must be raised if a package that was signed previously is not signed. 2. If a package is signed but was not signed previously, ‘cabal-install’ must check its signature and add the public key to the cache. 3. If a package was signed but now is signed with a different key, ‘cabal-install’ must check whether this key is signed with the previously-known key corresponding to this package, then verify the signature. If not, a warning must be raised.
pgpDWLBP5HHEo.pgp
Description: PGP signature
_______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel
