[Hackage] #239: security hole: anyone can replace a package

Hackage trac at galois.com
Thu Feb 14 06:40:51 EST 2008

#239: security hole: anyone can replace a package
  Reporter:  guest              |        Owner:       
      Type:  defect             |       Status:  new  
  Priority:  normal             |    Milestone:       
 Component:  HackageDB website  |      Version:       
  Severity:  normal             |     Keywords:       
Difficulty:  normal             |   Ghcversion:  6.8.2
  Platform:                     |  
 It is possible for any registered user to upload a new version of a
 package without reference to the actual maintainer of the package.  The
 new upload can even have the same name and version number as an existing
 package.  Not only does this allow a malicious or misguided person to
 arbitrarily change or remove good code: there is also no notification on
 the webpage of the package about who uploaded it - only the
 author/maintainer fields of the cabal file.  Needless to say, the latter
 may not be very happy that their name is associated with a corrupt package
 that they did not upload or authorise.

 Recently, a significant number of packages have been uploaded without
 their maintainers' knowledge, so this could be a real problem.  A quick
 fix would be to list the uploader's name against every package, so that
 the paranoid user can make an informed decision about its status.
 Ultimately the decision about whether to trust a package is a social and
 community issue, but the lack of transparency in discovering relevant
 information is a technical problem that does have a solution.

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list