[Hackage] #239: security hole: anyone can replace a package

Duncan Coutts duncan.coutts at worc.ox.ac.uk
Fri Feb 15 01:09:51 EST 2008

>  I think that restricting duplicate uploads ought to be done before too
>  long.  And the uploader info is needed on the package page (as is other
>  info).  But those things won't increase security for people using cabal-
>  install (because it picks the most recent version, and they don't see the
>  package page)

This in itself is something we should revisit at some point. If things
are being managed more like a distribution we'd want the ability to
designate some branch as the "current" or "best" version which may not
necessarily be the highest version.

For example Gentoo has two mechanisms, there is a way to designate
packages as bleeding edge or tested and stable (and there is a protocol
for transferring packages from one state to the other). Users can select
whether they want to live on the bleeding edge, either globally or on a
per-package basis. Additionally there is a "masking" system to prevent
the package manager from considering certain versions at all. Within
those constraints, the package manager tries to pick the highest


More information about the cabal-devel mailing list