[Hackage] #214: Package security

Hackage trac at galois.com
Tue May 20 07:34:49 EDT 2008

#214: Package security
  Reporter:  duncan         |        Owner:                 
      Type:  task           |       Status:  new            
  Priority:  normal         |    Milestone:                 
 Component:  miscellaneous  |      Version:        
  Severity:  normal         |   Resolution:                 
  Keywords:                 |   Difficulty:  project(> week)
Ghcversion:  6.8.2          |     Platform:                 
Comment (by ross at soi.city.ac.uk):

 Replying to [comment:9 duncan]:
 > I accept that it's bad to be able to subvert an existing named package
 that has people's trust. #239 is now fixed. I agree that we want a system
 to let package authors limit who else should be allowed to upload their

 #239 is only fixed in that you cannot replace an existing version, and the
 uploader is displayed on the package page.  It remains possible for anyone
 to upload a new version of any package.  I've been assuming that I'm
 dealing with responsible people, and will remove any that aren't.

 People seem very keen to jump to the last item on your list above.  Most
 security measures have costs to implementors, users and in maintenance.
 If they cover only some of the holes, they will be worse than useless: the
 system will be harder to use and maintain, but no more secure.

 > Linking authors to what else they have uploaded is also a good idea.

 This would be useful, and tied in with build reporting would give some
 sort of ranking of package maintainers, and may motivate them to test
 their packages before uploading them.  I'm not sure it would help a lot
 with security, though.

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/214#comment:11>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list