[Hackage] #214: Package security

Neil Mitchell ndmitchell at gmail.com
Wed May 21 10:16:01 EDT 2008


Hi Marc,

> I don't have an account yet so I can't answer on trac, can I?

Username: guest
Password: haskell'

> And he told me he has already implemnted kind of strace tool.
> One way would be: Use kind of sandbox/ observation and build the package
> once on hackage. If it doesn't try to rm -fr ${HOMe} it's considered
> beeing safe and everyone can download it.. If it tries to do such stupid
> things (and making connections to somewhere else should be considered
> stupid..) it could be marked as malicious ..

If you make it harder to do this, you are really just encouraging
people to be more creative. If you leave a box on a table, everyone
will leave it alone. If you lock the box, you are just encouraging
people to test their lock picking skills.

Thanks

Neil



More information about the cabal-devel mailing list