<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Jan 31, 2013 at 9:26 AM, Vincent Hanquez <span dir="ltr"><<a href="mailto:tab@snarc.org" target="_blank">tab@snarc.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 01/31/2013 06:27 AM, Ertugrul Söylemez wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In any case there is no valid excuse for the lack of crypto. It's too<br>
easy to attack Hackage, so we need some crypto regardless of what we<br>
interpret it as.<br>
<br>
My proposal is:<br>
<br>
1. Build the necessary machinery into Cabal to allow signing keys and<br>
packages and verifying the signatures, ideally through GnuPG.<br>
Cabal would benefit from that even without cabal-install and<br>
Hackage.<br>
</blockquote>
<br></div>
Seems there's lots of suggestion of using gnupg, which is a perfectly valid answer if cabal was unix only, but i'm not sure it's a valid option considering windows. Sure you can install gnupg somehow, but sounds to me it's going the same problem as gtk2hs on windows.<br>
<br>
One better way, would be to tap in the 2, work in progress, gnupg haskell replacement:<br>
<br>
<a href="http://hackage.haskell.org/package/openpgp" target="_blank">http://hackage.haskell.org/<u></u>package/openpgp</a><br>
<a href="http://hackage.haskell.org/package/hOpenPGP" target="_blank">http://hackage.haskell.org/<u></u>package/hOpenPGP</a><br>
<br>
AFAIK, both packages are not yet handling anything related to WoT, but just do the signing/verification (which is same status as my ad-hoc experiment)<span class="HOEnZb"><font color="#888888"><br>
<br></font></span></blockquote><div><br></div><div style>In this case I think this is the wrong approach. There must be at least one way to work within a trust model that is not fragile. Whether this is fully supported on all platforms is actually not very important.</div>
<div style><br></div><div style>I have pointed out why simply signing packages is fragile and how git is better suited for this task. We are not going to reimplement all the good infrastructure that already exists (gpg, git), so making that a requirement is not a good idea IMO.</div>
<div style><br></div><div style>Basic verification of signatures should work on Windows, I agree. But the underlying WoT should be a little bit more sophisticated. This means it has to be based on standard tools, or it will never happen.</div>
<div style><br></div><div style>Alexander</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
<br>
______________________________<u></u>_________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a><br>
<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/<u></u>mailman/listinfo/haskell-cafe</a><br>
</div></div></blockquote></div><br></div></div>