+1 for keeping this alive. Apart from the initial hype, now this issue is slowly losing attention but I think we should always keep the risk we are exposed to. Being I will sound pessimistic, but we should learn from the "competitors" mistakes :)
Cheers, A. On 12 February 2013 08:49, Bob Ippolito <b...@redivi.com> wrote: > The Python and Ruby communities are actively working on improving the > security of their packaging infrastructure. I haven't paid close attention > to any of the efforts so far, but anyone working on cabal/hackage security > should probably take a peek. I lurk on Python's catalog-sig list and here's > the interesting bits I've noticed from the past few weeks: > > [Catalog-sig] [Draft] Package signing and verification process > http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html > > [Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security > http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html > > Python PyPi Security Working Document: > > https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CSZYA/edit > > Rubygems Threat Model: > http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html > > https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb_SA/edit > > TUF: The Update Framework > https://www.updateframework.com/ > > > > On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done <chrisd...@gmail.com>wrote: > >> Hey dude, it looks like we made the same project yesterday: >> >> >> http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/ >> >> Yours is nice as it doesn't depend on GPG. Although that could be a >> nice thing because GPG manages keys. Dunno. >> >> Another diff is that mine puts the .sig inside the .tar.gz, yours puts >> it separate. >> >> =) >> >> On 31 January 2013 09:11, Vincent Hanquez <t...@snarc.org> wrote: >> > On 01/30/2013 07:27 PM, Edward Z. Yang wrote: >> >> >> >> https://status.heroku.com/incidents/489 >> >> >> >> Unsigned Hackage packages are a ticking time bomb. >> >> >> > I agree this is terrible, I've started working on this, but this is >> quite a >> > bit of work and other priorities always pop up. >> > >> > https://github.com/vincenthz/cabal >> > https://github.com/vincenthz/cabal-signature >> > >> > My current implementation generate a manifest during sdist'ing in >> cabal, and >> > have cabal-signature called by cabal on the manifest to create a >> > manifest.sign. >> > >> > The main issue i'm facing is how to create a Web of Trust for doing all >> the >> > public verification bits. >> > >> > -- >> > Vincent >> > >> > >> > _______________________________________________ >> > Haskell-Cafe mailing list >> > Haskell-Cafe@haskell.org >> > http://www.haskell.org/mailman/listinfo/haskell-cafe >> >> _______________________________________________ >> Haskell-Cafe mailing list >> Haskell-Cafe@haskell.org >> http://www.haskell.org/mailman/listinfo/haskell-cafe >> > > > _______________________________________________ > Haskell-Cafe mailing list > Haskell-Cafe@haskell.org > http://www.haskell.org/mailman/listinfo/haskell-cafe > >
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe