Hackage 2

Matthew Gruen wikigracenotes at gmail.com
Thu Sep 6 19:49:36 CEST 2012


On Thu, Sep 6, 2012 at 10:28 AM, Duncan Coutts <duncan.coutts at googlemail.com
> wrote:

> On 5 September 2012 20:22, Erik Hesselink <hesselink at gmail.com> wrote:
>
> >> Also,  we haven't had a single problem that I'm aware of on Ross
> Paterson's
> >> watch as bouncer for Hackage 1.    The point I'm trying to make is that
> a
> >> technical solution imposes additional administrative and technical
> overhead
> >> whereas social processes can also be very effective while also handling
> >> corner cases more gracefully.
> >
> > I don't see how a technical solution (which is already implemented, by
> > the way) introduces *more* overhead than a manual solution. Also, the
> > fact that we haven't had any problems doesn't mean we won't in the
> > future. We don't have to wait before something goes wrong to fix it.
>
> As I think you know, I'm definately in favour of the per-package
> maintainer group stuff.
>
> Let me make one more argument: even if we don't in practice have
> problems with people uploading packages they shoudn't, it'll make
> everyone *feel* better (that is, package maintainers and users). We do
> get a bit of stick for the current lack of security (not just this
> issue but about the lack of tamper profing / detecting).
>
> Additionally, if you decide that you would prefer to allow anyone to
> upload without having to get manual approval to be in the uploader
> group, then the per-package maintainer group becomes very useful. You
> could have more or less a free for all in uploading new names, but
> nobody can subvert existing names.
>
> (We would still have the problem of people taking all the good package
> names for crappy packages, but that's another issue)
>
> I understand we're not planning on importing the accounts from the old
> server. Could someone explain the issue there? I'd assumed we'd do
> that for a smoother changeover (and to set up the initial maintainer
> groups).
>
> Duncan


I'm a little bit confused on the exact set up. The uploaders group seems to
be roughly the same thing as the trustees group. (Except uploaders has an
AND relationship with per-package groups as far as membership requirements
for upload, and trustees has an OR relationship).

To my knowledge, It's technically possible to import the old accounts.

Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20120906/6efddc0c/attachment.htm>


More information about the cabal-devel mailing list