The Python and Ruby communities are actively working on improving the security of their packaging infrastructure. I haven't paid close attention to any of the efforts so far, but anyone working on cabal/hackage security should probably take a peek. I lurk on Python's catalog-sig list and here's the interesting bits I've noticed from the past few weeks:
[Catalog-sig] [Draft] Package signing and verification process http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html [Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html Python PyPi Security Working Document: https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CSZYA/edit Rubygems Threat Model: http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb_SA/edit TUF: The Update Framework https://www.updateframework.com/ On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done <chrisd...@gmail.com>wrote: > Hey dude, it looks like we made the same project yesterday: > > > http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/ > > Yours is nice as it doesn't depend on GPG. Although that could be a > nice thing because GPG manages keys. Dunno. > > Another diff is that mine puts the .sig inside the .tar.gz, yours puts > it separate. > > =) > > On 31 January 2013 09:11, Vincent Hanquez <t...@snarc.org> wrote: > > On 01/30/2013 07:27 PM, Edward Z. Yang wrote: > >> > >> https://status.heroku.com/incidents/489 > >> > >> Unsigned Hackage packages are a ticking time bomb. > >> > > I agree this is terrible, I've started working on this, but this is > quite a > > bit of work and other priorities always pop up. > > > > https://github.com/vincenthz/cabal > > https://github.com/vincenthz/cabal-signature > > > > My current implementation generate a manifest during sdist'ing in cabal, > and > > have cabal-signature called by cabal on the manifest to create a > > manifest.sign. > > > > The main issue i'm facing is how to create a Web of Trust for doing all > the > > public verification bits. > > > > -- > > Vincent > > > > > > _______________________________________________ > > Haskell-Cafe mailing list > > Haskell-Cafe@haskell.org > > http://www.haskell.org/mailman/listinfo/haskell-cafe > > _______________________________________________ > Haskell-Cafe mailing list > Haskell-Cafe@haskell.org > http://www.haskell.org/mailman/listinfo/haskell-cafe >
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe