[Hackage] #239: security hole: anyone can replace a package

Hackage trac at galois.com
Thu Feb 14 08:51:04 EST 2008

#239: security hole: anyone can replace a package
  Reporter:  guest              |        Owner:        
      Type:  defect             |       Status:  new   
  Priority:  normal             |    Milestone:        
 Component:  HackageDB website  |      Version:        
  Severity:  normal             |   Resolution:        
  Keywords:                     |   Difficulty:  normal
Ghcversion:  6.8.2              |     Platform:        
Comment (by duncan):

 It's not a trivial balance about who should be allowed to upload a
 package. By uploading to a public repo package authors are surrendering a
 little bit of control. If people start relying on a package then we want
 that package to continue even if the original uploader goes AWOL.

 So it is not clear that we would always want to restrict uploads to be the
 declared maintainer (or whoever uploaded it first). One could imagine a
 system where there is a list of allowed uploaders for a package and
 existing people could add others to that set. But whatever we do like that
 it has to be overridable for the cases when a package maintainer

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239#comment:4>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list