[Hackage] #239: security hole: anyone can replace a package
Hackage
trac at galois.com
Thu Feb 14 06:40:51 EST 2008
#239: security hole: anyone can replace a package
--------------------------------+-------------------------------------------
Reporter: guest | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: HackageDB website | Version:
Severity: normal | Keywords:
Difficulty: normal | Ghcversion: 6.8.2
Platform: |
--------------------------------+-------------------------------------------
It is possible for any registered user to upload a new version of a
package without reference to the actual maintainer of the package. The
new upload can even have the same name and version number as an existing
package. Not only does this allow a malicious or misguided person to
arbitrarily change or remove good code: there is also no notification on
the webpage of the package about who uploaded it - only the
author/maintainer fields of the cabal file. Needless to say, the latter
may not be very happy that their name is associated with a corrupt package
that they did not upload or authorise.
Recently, a significant number of packages have been uploaded without
their maintainers' knowledge, so this could be a real problem. A quick
fix would be to list the uploader's name against every package, so that
the paranoid user can make an informed decision about its status.
Ultimately the decision about whether to trust a package is a social and
community issue, but the lack of transparency in discovering relevant
information is a technical problem that does have a solution.
--
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects
More information about the cabal-devel
mailing list