[Haskell-cafe] Do I need an account to report build of Hacakgepackages?

Duncan Coutts duncan.coutts at worc.ox.ac.uk
Sat Nov 22 10:24:19 EST 2008

On Sat, 2008-11-22 at 15:11 +0000, Claus Reinke wrote:
> > You only need an account for uploading packages. If you do not want to
> > have to enter your user name or password interactively when you run
> > "cabal upload" then you can put them in the config file:
> > 
> > username:
> > password:
> That sounds like a very bad idea, and should not be encouraged!
> Any compromised uploader machine with stored passwords can
> be used to upload compromising code, which will propagate to 
> all downloaders. One bad-apple package installed unwittingly on 
> one uploader machine with stored passwords could compromise 
> all of Haskell land.

We've got bigger security issues than this. I'd welcome someone to spend
some time implementing some of the obvious and sensible ideas we've
discussed to improve the situation.


More information about the Haskell-Cafe mailing list