views:

82

answers:

2

Is there any way to ensure authenticity of downloads from hackage? As far as I can see, there's nothing. No https for hackage, and neither (strong) checksums for tarballs, and neither are they signed.

So: how can I verify the authenticity of downloads from hackage?

+2  A: 

There's been significant work on a new Hackage server Real Soon Now. Matt worked on it for summer of code. Take a look at his blog: http://cogracenotes.wordpress.com/

There's been thought put into managing contributor logins in new and better ways, but not yet into verifying the authenticity of downloads.

Https support, on the other hand, is slated to be part of hackage 2, as I recall.

Signed tarballs sound potentially useful, but there just hasn't been work done to think about implementing them. Hackage is open source, and it would be helpful to either get contributions, or even just carefully thought through feature proposals.

sclv
Thanks. During the recent "Haskell in the real world" session in Baltimore, I didn't get the sense that anyone cares about such issues, and that the focus is on different matters.Thanks for your answer!
iustin
A: 

Currently the answer is that you cannot. The only authentication is for uploads (done by basic HTTP auth).

There are various levels of security that people ask for:

  • Checking if a tarball has been modified since it was uploaded
  • Ensuring that a tarballs cannot be uploaded by non-maintainers
  • Checking that a tarball was actually produced by a particular individual

The new server will handle the second issue.

Adding a signed manifest to the hackage index would solve the first one. That would be a relativley lightweight solution. It does not ensure that the uploaded package is by anyone in particular or that the server has not been hacked.

The third would be much more heavyweight and we cannot sensibly hope for this ever to be more than optional. For one thing it means maintainers have to sign their packages. It also means users somehow have to manage a keychain or similar web of trust. This would be a lot of infrastructure, e.g. making gnupg work on windows would be a pita.

Duncan Coutts