Comments (10)
snoyberg
commented on August 21, 2024
2
Sure, no problem. The issue is:
- Hackage Security doesn't always generate JSON files: haskell/hackage-security#183
- The file you're looking for specifically broke the entire mirror process over the weekend: haskell-hvr/hackage-mirror-tool#2
- Because the connection to the Hackage server itself is insecure (HTTP), we cannot rely with downloads from it being untampered unless there is a Hackage Security signature
- If you're wondering: Yes, https://hackage.haskell.org does work, but that's connecting to a CDN, which itself has an insecure connection to the Hackage server itself
- The mirror tool we run connects directly to Hackage over its insecure connection
- Therefore, there's no way that we can reliably generate the .json files without risk of a MITM attack
In the past we generated the JSON files ourselves without relying on the upstream information, but that was before I was aware of the insecure connection between the CDN and Hackage. @lehins updated the mirroring tools recently to fix this.
I'm not getting traction upstream on this issue, so additional voices would be helpful. Filing against hackage-server probably makes sense.
from all-cabal-hashes.
snoyberg
commented on August 21, 2024
This is an upstream issue with Hackage itself, please file there.
…On Tue, Feb 14, 2017, 2:32 PM Peter Simons ***@***.***> wrote:
There exists a file gogol-admin-reports/0.2.0/gogol-admin-reports.cabal
but no matching JSON file.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#11>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADBBxci8g7bbz7pw8tjGjWbxu98zoACks5rcZ7zgaJpZM4MAa4p>
.
from all-cabal-hashes.
peti
commented on August 21, 2024
I'm supposed to complain about a missing JSON file in all-cabal-hashes to the Hackage people? What good will that do?
from all-cabal-hashes.
snoyberg
commented on August 21, 2024
I won't deal with belligerence. If you want to ask why this is an upstream
issue, I can explain. But I don't need to waste my time with this tone.
…On Tue, Feb 14, 2017, 2:37 PM Peter Simons ***@***.***> wrote:
I'm supposed to complain about a missing JSON file in all-cabal-hashes to
the Hackage people? What good will that do?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADBB1V6YrOfRQ2-pshWZQX6GnSt4-w2ks5rcZ_8gaJpZM4MAa4p>
.
from all-cabal-hashes.
peti
commented on August 21, 2024
I am sorry. I had not realized that you'd perceive my tone as offensive and I had no intention to come across that way. I apologize.
If you will, could you please explain to me why this is an upstream issue so that I can go ahead and try to get it fixed?
from all-cabal-hashes.
gbaz
commented on August 21, 2024
Because the connection to the Hackage server itself is insecure (HTTP), we cannot rely with downloads from it being untampered unless there is a Hackage Security signature
I checked our cdn settings, and in fact we do use a tls conduit between our cdn and the origin server. Image verifying settings below. It may be the case that we did not do so in the past but certainly we have had such a connection for quite some time.
from all-cabal-hashes.
snoyberg
commented on August 21, 2024
My information was from September
from all-cabal-hashes.
peti
commented on August 21, 2024
Upstream ticket is haskell/hackage-server#488, which appears to be dead in the water since April 15th 2016. This is not very encouraging.
from all-cabal-hashes.
gbaz
commented on August 21, 2024
Don't despair. The renewed attention has revived interest in tackling it.
from all-cabal-hashes.
snoyberg
commented on August 21, 2024
The problem has been fixed by upstream.
from all-cabal-hashes.
Related Issues (17)
- Readme could do with mentioning how often this updates. HOT 1
- Bad signature HOT 3
- intro-0.1.0.9 data is incomplete HOT 2
- Not updating? HOT 5
- wai-middleware-prometheus-0.2.0 is incomplete HOT 5
- case-sensitivity: cassava and cli are missing. HOT 2
- stack cabal file from lts-13 missing HOT 1
- Do these hashes relate to extra-deps? HOT 2
- Updates have stopped 4 days ago HOT 1
- Spock 0.7.10.0 hasn't been sync'd. HOT 2
- Update job seems to have stopped three weeks ago HOT 5
- Index of all packages HOT 5
- Please include an SHA256 hash of the Cabal file itself HOT 5
- The all-cabal-hashes don't seem to update. HOT 6
- The Travis job isn't starting HOT 1
- hermes-1.3.4.3 data is incomplete HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from all-cabal-hashes.