Hey dude, it looks like we made the same project yesterday: http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/
Yours is nice as it doesn't depend on GPG. Although that could be a nice thing because GPG manages keys. Dunno. Another diff is that mine puts the .sig inside the .tar.gz, yours puts it separate. =) On 31 January 2013 09:11, Vincent Hanquez <t...@snarc.org> wrote: > On 01/30/2013 07:27 PM, Edward Z. Yang wrote: >> >> https://status.heroku.com/incidents/489 >> >> Unsigned Hackage packages are a ticking time bomb. >> > I agree this is terrible, I've started working on this, but this is quite a > bit of work and other priorities always pop up. > > https://github.com/vincenthz/cabal > https://github.com/vincenthz/cabal-signature > > My current implementation generate a manifest during sdist'ing in cabal, and > have cabal-signature called by cabal on the manifest to create a > manifest.sign. > > The main issue i'm facing is how to create a Web of Trust for doing all the > public verification bits. > > -- > Vincent > > > _______________________________________________ > Haskell-Cafe mailing list > Haskell-Cafe@haskell.org > http://www.haskell.org/mailman/listinfo/haskell-cafe _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
