[Hackage] #214: Package security

Marc Weber marco-oweber at gmx.de
Wed May 21 07:44:35 EDT 2008

>  Yes, absolutely, except without the "well known" bit. -- matthew

I don't have an account yet so I can't answer on trac, can I?

I've talked about this with dcoutts some time ago.
And he told me he has already implemnted kind of strace tool.
One way would be: Use kind of sandbox/ observation and build the package
once on hackage. If it doesn't try to rm -fr ${HOMe} it's considered
beeing safe and everyone can download it.. If it tries to do such stupid
things (and making connections to somewhere else should be considered
stupid..) it could be marked as malicious ..
Of course the package might become malicious only on Monday or after
9.11.2011 etc.. but obvious packages which would hurt hundreds of people
could be catched this way easily. All we would need is a build system.

Of course we can't do anything about this only no Monday problem but
trusting uploaders..

Marc Weber

More information about the cabal-devel mailing list