[Hackage] [GSoC] Improving authentication system in Hackage -- student looking for a mentor

Mateusz Lenik mlen at mlen.pl
Fri Mar 21 00:09:04 UTC 2014

Hello everyone,

I'm a student interested in improving the authentication system in Hackage
during Google Summer of Code, but currently I don't have a mentor.
Current version of my proposal is attached to this email.
It can also be found on google-melange.com.

Please contact me if you're interested in mentoring this project.

Thank you,
-------------- next part --------------
Title: Improved Hackage login

About the proposed project:

The goal of this project is to refactor Hackage login/authentication system,
improve UX using cookie-based approach and to replace outdated password hashing
scheme with a secure one.

I propose to use scrypt for password hashing scheme as it is not supported by
oclhashcat password cracker. Another good choice would be bcrypt, as it also
allows to specify a parameter to adjust the time complexity of hashing.

For cookie-based approach I propose to use encrypted and signed cookies
(similar approach Ruby on Rails uses), but with a small difference: cookies
would be also tagged with expiration time before encryption and signing -- this
should prevent reply attacks.

Timeline of the project:

1. Switch Hackage to HTTPS -- parts of Hackage visible for logged in users and
   login forms should be available only over TLS. It would be even better if it is
   possible to switch Hackage to HTTPS only.
2. Disable Digest Authentication -- this step is necessary to replace MD5
   hashing scheme. Care should be also taken of all projects that rely on Digest
3. Replace MD5 with scrypt -- the main goal of this project. A solution to
   switch over from MD5 to scrypt as user logs in for the first time should be
4. Implement cookie-based authentication -- Basic Auth can be left enabled after
   this step is implemented to allow automatic tools to access Hackage.

From this point there are two ways to enhance Hackage:

5a. Implement token based authentication -- libraries and automatic tools would
    be able to use a token or an API key to access Hackage instead of Basic Auth.
5b. Adapt the UI for the logged in user.

Currently I'm looking into Hackage source code to be able to provide estimates
on how long each of these steps would take.

About the author:

My name is Mateusz Lenik and I’m studying computer science at Technical
University in Wrocław, Poland. My major during BSc was internet engineering and
now my major is software and network security.  I work half-time as Ruby
developer and I help to organise annual Ruby conference in Wrocław.  I got
interested in Haskell a year ago, mostly because tools I used at that time made
it really hard to write safe and secure code that it is easy to reason about.
Unfortunately I still have to use Ruby for most of the code I write.

My Haskell experience seems to be sufficient to finish this project (and I
expect to learn a lot more than I know now during the project).
Additionally I’ve got decent knowledge about system administration (Debian,
ArchLinux), provisioning tools (Chef, Puppet), web security practices (OWASP
Top 10 et al) and general web development.

I expect to be able to work on the project up to 20 hours per week (with an
exception of one week in may).

After the project I’d love to contribute more to Haskell community, but I can’t
promise that -- I’m graduating this year and I can not predict how my life is
going to change after the graduation.

Email: mlen at mlen.pl
GPG fingerprint: B865 E86A D36C 11A5 C1F8  C1D9 AAD4 CEC9 6B94 92C4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140321/fa7336d3/attachment.sig>

More information about the cabal-devel mailing list