As readers of this blog or the mailing lists are likely already aware: package security is important to both FP Complete and other members of the Commercial Haskell community. While there was quite a bit of public discussion around this during the planning phase, I was reminded in a conversation on Friday that we never announced the outcome of these plans.
tl;dr: Secure package distribution is fully implemented in stack, with some options to harden the default. We're still implementing an easy author signing story, and that will be announced soon.
The implementation we have in stack follows the plan in the above-linked proposal pretty directly. Let me just flesh it out fully here:
https. In addition to the raw .cabal files, this repository also contains hashes and download sizes for all tarballs available.
The story still isn't complete: we have no way to verify that the package author really is the person who uploaded the package. Stay tuned to the upload/signature author work we're doing, which will hopefully be available Real Soon Now(tm).
Do you like this blog post and need help with industrial Haskell, Rust or DevOps? Contact us.