On 12/9/10 4:04 PM, Richard O'Keefe wrote:
On 10/12/2010, at 12:18 AM, Markus Läll wrote:
My take on the issue is that we should make it possible to easily mirror
hackage (what the OP asked for), so that people could use it when they wanted
to, and have a list of the mirrors on the wiki. This way those who are
interested can use them. Like when the mirror is faster/closer to them or to
help out when hackage is temporarily down. Those who need the security can
choose not to use mirrors, or make their own (private), or develop a secure
scheme, when it doesn't exist yet.
Have I misunderstood something?
I thought "X is a mirror of Y" meant X would be a read-only replica of Y,
with some sort of protocol between X and Y to keep X up to date.
As long as the material from Y replicated at X is *supposed* to be
publicly available, I don't see a security problem here. Only Y accepts
updates from outside, and it continues to do whatever authentication it
would do without a mirror. The mirror X would *not* accept updates.
The security issue is how does a client, C, know to trust X (maybe X is
evil) or know to trust the transmission of data from Y to X (maybe a man
in the middle corrupted things and X has become a confused deputy), etc.
The concern isn't for the consistency of Y's data, it's for the
consistency of X's data as a replica of Y's.
--
Live well,
~wren
_______________________________________________
Haskell-Cafe mailing list
[email protected]
http://www.haskell.org/mailman/listinfo/haskell-cafe
