IMHO Hackage and Cabal should support package signing even if they aren't package managers.
On Wed, Jan 30, 2013 at 6:59 PM, Joachim Breitner <nome...@debian.org> wrote: > Hi, > > Am Mittwoch, den 30.01.2013, 11:27 -0800 schrieb Edward Z. Yang: >> https://status.heroku.com/incidents/489 >> >> Unsigned Hackage packages are a ticking time bomb. > > another reason why Cabal is no package manager¹. > > (Ok, I admit that I don’t review every line of diff between the Haskell > packages I uploads. But thanks to http://hdiff.luite.com/ I at least > glance over them most of the time – a hurdle that malicious code would > have to take. And once a package has entered a distribution like Debian > (which it only can with a valid cryptographic signatures), checksums and > signatures are used in many places to (mostly) guarantee that the > package reaches the user unmodified.) > > Greetings, > Joachim > > ¹ > http://ivanmiljenovic.wordpress.com/2010/03/15/repeat-after-me-cabal-is-not-a-package-manager/ > > -- > Joachim "nomeata" Breitner > Debian Developer > nome...@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C > JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata > > _______________________________________________ > Haskell-Cafe mailing list > Haskell-Cafe@haskell.org > http://www.haskell.org/mailman/listinfo/haskell-cafe > -- Felipe. _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
