[Hackage] #239: security hole: anyone can replace a package
Hackage
trac at galois.com
Thu Feb 14 13:01:37 EST 2008
#239: security hole: anyone can replace a package
--------------------------------+-------------------------------------------
Reporter: guest | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: HackageDB website | Version:
Severity: normal | Resolution:
Keywords: | Difficulty: normal
Ghcversion: 6.8.2 | Platform:
--------------------------------+-------------------------------------------
Comment (by ross at soi.city.ac.uk):
Yes, the security model is basic: if you have been (manually) registered
you can upload any package, but your actions are published and logged.
It's not designed to cope with malice, except that anyone who misbehaves
can be deregistered.
I think that restricting duplicate uploads ought to be done before too
long. And the uploader info is needed on the package page (as is other
info). But those things won't increase security for people using cabal-
install (because it picks the most recent version, and they don't see the
package page), and they won't prevent non-maintainer uploads. To do that
we'd need to record ownership for packages, with human authorization the
first time each package is uploaded and more administrative intervention
if a package becomes dormant. These things would be extra costs on both
users and administrators. Maybe we'd need to formalize a dispute
resolution procedure. There's also the question of whether maintainers
have a right to control uploads of their packages that should be policed
by hackagedb.
Alternatively we could just put up some notices about upload etiquette and
talk to each other.
We need to weigh what security would actually be achieved by a particular
setup against the costs.
--
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239#comment:6>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects
More information about the cabal-devel
mailing list