??????? ?????? wrote: > >> No no no! Why not download the normal (signed) cabal list from the >> DHT (and optionally directly from hackage.haskell.org)? These are all >> the packages that would appear on the website. Why serve any other >> content? All nodes in the DHT may check and make sure the file (or >> fragment) being served is properly signed. >> >> Any desire for popularity or tagging capability should be separate. >> > Because single single hackage private key can be bruteforsed or stolen > far easier than lots and lots keys of random people.
You only need to compromise one well-trusted key to compromise the system. Cheers, Jochem -- Jochem Berndsen | joc...@functor.nl | joc...@????.com _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe