Vincent Hanquez <t...@snarc.org> wrote: > I agree this is terrible, I've started working on this, but this is > quite a bit of work and other priorities always pop up. > > https://github.com/vincenthz/cabal > https://github.com/vincenthz/cabal-signature > > My current implementation generate a manifest during sdist'ing in > cabal, and have cabal-signature called by cabal on the manifest to > create a manifest.sign. > > The main issue i'm facing is how to create a Web of Trust for doing > all the public verification bits.
You don't need it yet. See my other post. Once the basic infrastructure for signatures is established, you can allow the user to have a set of trusted keys. The idea is that users can ask for keys and/or import keys from key servers. In the worst case they accept keys when installing a package. Once you have such a trust database you can allow users to select, whether a key is to be trusted for signing other keys. Then you have basically everything to establish both hierarchial trust relationships (like CAs) and webs of trust. Greets, Ertugrul -- Not to be or to be and (not to be or to be and (not to be or to be and (not to be or to be and ... that is the list monad.
signature.asc
Description: PGP signature
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe