On Fri, Feb 01, 2013 at 01:07:33PM +0100, Christopher Done wrote: > Hey dude, it looks like we made the same project yesterday: > > http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/ > > Yours is nice as it doesn't depend on GPG. Although that could be a > nice thing because GPG manages keys. Dunno. > > Another diff is that mine puts the .sig inside the .tar.gz, yours puts > it separate.
Nice to see a productive discussion on this. /me really need to read reddit more :) Couple of details, no the signature is going inside the tarball too. the signature process happens during the sdisting after building the manifest. My reason for doing is, which i suspect similar to yours, is that I don't need to modify hackage this way and the uploading stays the same. Also in my case, cabal-signature is called by cabal, not by the user. I can't see this effort working without forcing everyone to use it (transparently in the background) For gpg, i don't know what's the right answer. One on hand it's solving all the problems related to this already, but on the other portability issue. I was thinking maybe one way to verify the key that i use for signing, would be to tie it to a personal gpg key (by signing the key with a gpg key) to benefit from all the facilities that gpg provides. It would provide a cheap way to switch model later, without being tied to a gpg signing process. -- Vincent _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
