[Hackage] #239: security hole: anyone can replace a package
Hackage
trac at galois.com
Fri Feb 15 09:32:27 EST 2008
#239: security hole: anyone can replace a package
--------------------------------+-------------------------------------------
Reporter: guest | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: HackageDB website | Version:
Severity: normal | Resolution:
Keywords: | Difficulty: normal
Ghcversion: 6.8.2 | Platform:
--------------------------------+-------------------------------------------
Comment (by igloo):
I'd like to vote for rejecting uploads of the same version: We should do
everything we can to discourage people from distributing different things
with the same version number, as it makes debugging problems etc much
harder.
On the security side, one thing we could do is to e-mail the maintainer
address (in both the old and new cabal files) when an upload is done,
including the username of the uploader and whether the maintainer address
has changed. (I think we should do more as well, but this should be easy
to set up and has no ongoing cost).
--
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239#comment:7>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects
More information about the cabal-devel
mailing list