[ocaml-platform] Secure OPAM?

Hannes Mehnert hannes at mehnert.org
Fri Apr 17 09:51:22 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Gabriel,

On 04/17/2015 08:52, Gabriel Scherer wrote:
> (Since this thread was last active there have been very promising 
> discussions on security that could see the day for OPAM 1.3.)
> 
> This list may be interested in the recent plan/proposal for
> security in Hackage (Haskell's package distribution
> infrastructure), which are basically "follow TUF": 
> http://www.well-typed.com/blog/2015/04/improving-hackage-security/

thanks for the pointer.  A very well written proposal.  Some
discussion was on the opam-devel mailing list [1].  The general idea
is very similar to Haskell: use TUF, make it painless for package
maintainers.  Louis and I wanted to come up with concrete usage
scenarios (client / maintainer / new maintainer / key revocation/loss).


hannes


1: http://lists.ocaml.org/pipermail/opam-devel/2015-March/000991.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCQAGBQJVMMmKAAoJELyJZYjffCju85wP/j8sjfLvth1j+qbMq3ImR5vB
hgcs6em2P9QCAGRLHUJCQzzkXBYUT/Mdh2QbaFd8XboG/GPioose3DH3RyGn8dmD
4Z2qCWPLcWZDMgZE+2R2sV5PihRGnyAmiGlQN6PTopp2UxawnSHpTb0Go7kHQ08I
SaBQxQ8v2PvfX2ZVBvS8y/ZifOxhzfqAudua5qfTiJivC9YRvQgizopCFC8pnEDX
KAMzSeoIKID4/b7tLdp56c01IVxfhxeWFcFHF8rzEJJ7jh2T6EKL67CUNTYFKkL1
3ExdClsMQF6xSBC/tgTRlRXyPNCAz9k48PE/I7PpVDpf4MWnIIfisQ1BiMO3Klm/
v+c78zhdEQ6MTj49xESaMWZrigEhstRMQomJWA9XoYBBS+Ki+FnyYwx++dpH7V4k
FmPx3++r0zo2beKL79fQrPT3Z8cYjPJC8RXllq9JJQtFozYgJctGuGGB3c+0iAQR
bKV3yNfzM8AXPo0p25tlwCi4Eu3NpZsjK4LY3eXp8+uejTqDAQnHgVpTO3q/XSfk
A6tiiAUv4veYLmlpYEljZHnpLVASFKpLAD5z80kTrLwKAZsju5DaKx0pCOrXBQqF
3W3EeHKw9QO6RNuGKBXCtcbTIqpz59uvwECJa40+Egmh6yTKce7zpdQAjpF/dxPF
feRiWfuTtImBa8EVfn74
=0kwQ
-----END PGP SIGNATURE-----


More information about the Platform mailing list