[Haskell-cafe] Ticking time bomb
Bob Ippolito
bob at redivi.com
Tue Feb 12 09:49:32 CET 2013
The Python and Ruby communities are actively working on improving the
security of their packaging infrastructure. I haven't paid close attention
to any of the efforts so far, but anyone working on cabal/hackage security
should probably take a peek. I lurk on Python's catalog-sig list and here's
the interesting bits I've noticed from the past few weeks:
[Catalog-sig] [Draft] Package signing and verification process
http://mail.python.org/pipermail/catalog-sig/2013-February/004832.html
[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
http://mail.python.org/pipermail/catalog-sig/2013-February/004994.html
Python PyPi Security Working Document:
https://docs.google.com/document/d/1e3g1v8INHjHsUJ-Q0odQOO8s91KMAbqLQyqj20CSZYA/edit
Rubygems Threat Model:
http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html
https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb_SA/edit
TUF: The Update Framework
https://www.updateframework.com/
On Fri, Feb 1, 2013 at 4:07 AM, Christopher Done <chrisdone at gmail.com>wrote:
> Hey dude, it looks like we made the same project yesterday:
>
>
> http://www.reddit.com/r/haskell/comments/17njda/proposal_a_trivial_cabal_package_signing_utility/
>
> Yours is nice as it doesn't depend on GPG. Although that could be a
> nice thing because GPG manages keys. Dunno.
>
> Another diff is that mine puts the .sig inside the .tar.gz, yours puts
> it separate.
>
> =)
>
> On 31 January 2013 09:11, Vincent Hanquez <tab at snarc.org> wrote:
> > On 01/30/2013 07:27 PM, Edward Z. Yang wrote:
> >>
> >> https://status.heroku.com/incidents/489
> >>
> >> Unsigned Hackage packages are a ticking time bomb.
> >>
> > I agree this is terrible, I've started working on this, but this is
> quite a
> > bit of work and other priorities always pop up.
> >
> > https://github.com/vincenthz/cabal
> > https://github.com/vincenthz/cabal-signature
> >
> > My current implementation generate a manifest during sdist'ing in cabal,
> and
> > have cabal-signature called by cabal on the manifest to create a
> > manifest.sign.
> >
> > The main issue i'm facing is how to create a Web of Trust for doing all
> the
> > public verification bits.
> >
> > --
> > Vincent
> >
> >
> > _______________________________________________
> > Haskell-Cafe mailing list
> > Haskell-Cafe at haskell.org
> > http://www.haskell.org/mailman/listinfo/haskell-cafe
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130212/2ed52eba/attachment.htm>
More information about the Haskell-Cafe
mailing list