[Haskell-cafe] Ticking time bomb
Joachim Breitner
nomeata at debian.org
Wed Jan 30 21:59:48 CET 2013
Hi,
Am Mittwoch, den 30.01.2013, 11:27 -0800 schrieb Edward Z. Yang:
> https://status.heroku.com/incidents/489
>
> Unsigned Hackage packages are a ticking time bomb.
another reason why Cabal is no package manager¹.
(Ok, I admit that I don’t review every line of diff between the Haskell
packages I uploads. But thanks to http://hdiff.luite.com/ I at least
glance over them most of the time – a hurdle that malicious code would
have to take. And once a package has entered a distribution like Debian
(which it only can with a valid cryptographic signatures), checksums and
signatures are used in many places to (mostly) guarantee that the
package reaches the user unmodified.)
Greetings,
Joachim
¹ http://ivanmiljenovic.wordpress.com/2010/03/15/repeat-after-me-cabal-is-not-a-package-manager/
--
Joachim "nomeata" Breitner
Debian Developer
nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130130/9975a422/attachment.pgp>
More information about the Haskell-Cafe
mailing list