[Hackage] #239: security hole: anyone can replace a package
Hackage
trac at galois.com
Thu Feb 14 08:51:04 EST 2008
#239: security hole: anyone can replace a package
--------------------------------+-------------------------------------------
Reporter: guest | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: HackageDB website | Version:
Severity: normal | Resolution:
Keywords: | Difficulty: normal
Ghcversion: 6.8.2 | Platform:
--------------------------------+-------------------------------------------
Comment (by duncan):
It's not a trivial balance about who should be allowed to upload a
package. By uploading to a public repo package authors are surrendering a
little bit of control. If people start relying on a package then we want
that package to continue even if the original uploader goes AWOL.
So it is not clear that we would always want to restrict uploads to be the
declared maintainer (or whoever uploaded it first). One could imagine a
system where there is a list of allowed uploaders for a package and
existing people could add others to that set. But whatever we do like that
it has to be overridable for the cases when a package maintainer
disappears.
--
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239#comment:4>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects
More information about the cabal-devel
mailing list