hackage-security
hackage-security copied to clipboard
haskell
Hackage security framework based on TUF (The Update Framework)
See https://github.com/haskell/hackage-server/issues/414 .
Right now we always compute the hash for the entire file. This is an optimisation only (and profiling suggests it won't make all that much of a difference). Note that...
- [ ] Use library to extract .`cabal` files (and verify signatures once we introduce author signing; until that time this is just an optimization). - [ ] Avoid creation...
although we will then probably want to distinguish between log messages shown at `-v`, which tell us about stuff that went wrong, and log messages that tell us about what's...
In the index log, we currently use ``` haskell data TarIndexEntry = ... | MetadataEntry !PackageId !RevisionNo !UTCTime ``` However, once we start signing packages, we cannot recreate these TUF...
I saw this happening but I do not remember the circumstances and cannot reconstruct it. If it happens again, we can deal with it once we understand better why it's...
That is, change cabal-install's internal index type to something like `PackageId -> Either Problem Content`. This will however have consequences all through the code base. (And note that until we...