[Hackage] #214: Package security

Hackage trac at galois.com
Wed May 21 06:15:15 EDT 2008

#214: Package security
  Reporter:  duncan         |        Owner:                 
      Type:  task           |       Status:  new            
  Priority:  normal         |    Milestone:                 
 Component:  miscellaneous  |      Version:        
  Severity:  normal         |   Resolution:                 
  Keywords:                 |   Difficulty:  project(> week)
Ghcversion:  6.8.2          |     Platform:                 
Comment (by guest):

 Replying to [comment:14 duncan]:
 > Replying to [comment:10 guest]:
 > > I worry about the idea of providing "security" or some notion of
 safety or trust only if one behaves "as expected". That seems slightly odd
 to me.
 > I think it's really essential. You are expecting for some reason that
 something on hackage is held to a higher security or QA standard than
 something else you randomly download off the web. What gives you that
 confidence? What makes you think other users have that confidence? Perhaps
 that's the security problem. There's no security problem with
 `` because there's no reason you would expect to
 trust it.

 I'm not sure we're disagreeing, I think we're just talking about different
 things. You say "We expect people to download packages they know of or
 have had recommended, not random packages." I'm trying to say that the
 only way in which code can migrate from "random package" status to "known
 and/or recommended" status is precisely by people downloading random

 > As I said, a name can establish a reputation so there is value in
 preventing well known names from being subverted.

 Yes, absolutely, except without the "well known" bit. -- matthew

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/214#comment:15>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list