I’ve just pushed the commit [1] allowing to cache OpenPGP public keys on
‘cabal update’. (Note that I haven’t written the needed code for ‘cabal
install’ yet, so the rest of this message is only about ‘update’.)
After talking to people on #gnupg (thanks!), I decided to abandon the
previous idea o
I’ve just pushed a bit more code [1]. Now it’s possible to upload an
ASCII-armored OpenPGP signature, which is optional, while uploading a
package or a package candidate. If a signature is present, the download
link will be shown in the “Downloads” list.
Questions:
1. ‘backup’ doesn’t work yet.
> If a package is signed, the maintainers have the permission to sign. If
> it’s necessary to add a maintainer, the uploader lists a username in a
> file, signs it, and uploads. (Is there a better way to achieve the same
> thing?) The server checks the signature, parses the file, and adds the
>
I created a repository on Gitorious and pushed a couple of commits to
the openpgp branch [1]. (There is nothing related to cabal-install yet,
so apologies for off-topic.)
[1] https://gitorious.org/hackage-server/hackage-server/commits/openpgp
pgp5DEDNYmXik.pgp
Description: PGP signature
___
I’ve been extremely busy recently, so I only answer the questions for
now. Please speak up if you see a possibility for an attack, or if
something is not clear or not efficient.
> If you go for GPG, here's some issues to consider:
> * Who is allowed to sign for each package? Do we place any
Thanks for such a detailed reply, Duncan.
> I think optional GPG signatures is a good idea, and I think in principle
> we would accept the patch. However it does have to be opt-in only: both
> opt-in for authors signing, and opt-in for clients checking.
Okay.
> However, as I've said, these two s
On Wed, 2014-04-30 at 03:15 +0400, Nikita Karetnikov wrote:
> Following up on the “cabal-install: Replacing HTTP with HTTPS” thread.
> I think we can do better. I want to make sure that people will notice
> if someone compromises the packages on hackage.haskell.org.
>
> Here’s a rough plan:
>
>
Hi,
On 3 May 2014 02:31, Nikita Karetnikov wrote:
> I’ve been told off-list that relying on external tools (such as GPG) may
> be problematic. Is it the case? And if so, could you elaborate?
Yes, we want to make cabal-install as self-contained as possible,
since it makes installation/distribut
I’ve been told off-list that relying on external tools (such as GPG) may
be problematic. Is it the case? And if so, could you elaborate?
pgpIGPe06vR1H.pgp
Description: PGP signature
___
cabal-devel mailing list
cabal-devel@haskell.org
http://www.haske
Hi,
On 30 April 2014 01:15, Nikita Karetnikov wrote:
> Following up on the “cabal-install: Replacing HTTP with HTTPS” thread.
> I think we can do better. I want to make sure that people will notice
> if someone compromises the packages on hackage.haskell.org.
>[...]
I believe Austin Seipp had s
10 matches
Mail list logo
