[Haskell-cafe] Ticking time bomb
Marc Weber
marco-oweber at gmx.de
Fri Mar 22 12:20:32 CET 2013
The only safe way is acceptnig keys from people you know don't view pdf
using adobe reader, who don't browse the web (neither use flash) etc.
And then still you also have to know that their email account password
is reasonable strong ..
So whatever this thread is about - its only about making it harder to
intentionally inject bad code.
Also "signed by two people" - how to verify that two accounts/email
addresses really belong to different people? - You understand the
problem.
Anyway - having signed packages is good, because attackers will be
slower, they have to build up trust first .. So it will improve the
situation a lot.
I also would appreciate being able to get hash sums from the
00-index.tar. Then automatic packaging is much easier.
Oh - and don't forgett the huge amount of code hackage has today.
It may not be feasable to trust - check all code - but having the most
used code checked by multiple parties alreday is a great improvement.
Marc Weber
More information about the Haskell-Cafe
mailing list