[Hackage] #239: security hole: anyone can replace a package

Hackage trac at galois.com
Fri Feb 15 09:32:27 EST 2008


#239: security hole: anyone can replace a package
--------------------------------+-------------------------------------------
  Reporter:  guest              |        Owner:        
      Type:  defect             |       Status:  new   
  Priority:  normal             |    Milestone:        
 Component:  HackageDB website  |      Version:        
  Severity:  normal             |   Resolution:        
  Keywords:                     |   Difficulty:  normal
Ghcversion:  6.8.2              |     Platform:        
--------------------------------+-------------------------------------------
Comment (by igloo):

 I'd like to vote for rejecting uploads of the same version: We should do
 everything we can to discourage people from distributing different things
 with the same version number, as it makes debugging problems etc much
 harder.

 On the security side, one thing we could do is to e-mail the maintainer
 address (in both the old and new cabal files) when an upload is done,
 including the username of the uploader and whether the maintainer address
 has changed. (I think we should do more as well, but this should be easy
 to set up and has no ongoing cost).

-- 
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239#comment:7>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects


More information about the cabal-devel mailing list