[Hackage] #239: security hole: anyone can replace a package

Hackage trac at galois.com
Thu Feb 14 13:01:37 EST 2008

#239: security hole: anyone can replace a package
  Reporter:  guest              |        Owner:        
      Type:  defect             |       Status:  new   
  Priority:  normal             |    Milestone:        
 Component:  HackageDB website  |      Version:        
  Severity:  normal             |   Resolution:        
  Keywords:                     |   Difficulty:  normal
Ghcversion:  6.8.2              |     Platform:        
Comment (by ross at soi.city.ac.uk):

 Yes, the security model is basic: if you have been (manually) registered
 you can upload any package, but your actions are published and logged.
 It's not designed to cope with malice, except that anyone who misbehaves
 can be deregistered.

 I think that restricting duplicate uploads ought to be done before too
 long.  And the uploader info is needed on the package page (as is other
 info).  But those things won't increase security for people using cabal-
 install (because it picks the most recent version, and they don't see the
 package page), and they won't prevent non-maintainer uploads.  To do that
 we'd need to record ownership for packages, with human authorization the
 first time each package is uploaded and more administrative intervention
 if a package becomes dormant.  These things would be extra costs on both
 users and administrators.  Maybe we'd need to formalize a dispute
 resolution procedure.  There's also the question of whether maintainers
 have a right to control uploads of their packages that should be policed
 by hackagedb.

 Alternatively we could just put up some notices about upload etiquette and
 talk to each other.

 We need to weigh what security would actually be achieved by a particular
 setup against the costs.

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239#comment:6>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list