On Dec 13, 2010, at 6:15 PM, wren ng thornton <[email protected]> wrote:
On 12/13/10 8:25 AM, Paul Sargent wrote:
How about, as a cheep and cheerful method to get up running. If the premise
is that the original server is trustworthy and the mirrors aren't, then:
1) Hash all packages on the original server.
2) Hash goes into a side car file (e.g.<packagename>.sha) that lives next
to the package
If hashed are added to the package information "cabal update" downloads,
installing packages from mirrors will continue to work during a central outage.
I still contend that we shouldn't have to trust the central server either. The
hash can be created alongside the sdist on the maintainer's computer, and then
both are uploaded to central. Thus, the maintainer can verify that the hash on
central matches their own, which ensures that:
For now, it's enough to find a simple scheme where adding untrusted mirrors is
no worse than the current situation. Hashes seem to work for that:
1. cabal update always reads from the central server (if uploads are impossible
when the central server is down, the package lit won't even get stale)
2. The package descriptions are extended with hashes
3. Cabal may download packages from mirrors, but checks the hash.
Your proposal doesn't narrow trust to the maintainers (which is currently open
to the public anyway), because an adversary as described could return the
correct hash and package for the maintainer, and the corrupted version to
others.
Brandon
_______________________________________________
Haskell-Cafe mailing list
[email protected]
http://www.haskell.org/mailman/listinfo/haskell-cafe
