[Haskell-cafe] Do I need an account to report build of
Hacakgepackages?
Antti-Juhani Kaijanaho
antti-juhani at kaijanaho.fi
Sat Nov 22 10:45:18 EST 2008
On Sat, Nov 22, 2008 at 03:11:34PM -0000, Claus Reinke wrote:
>> You only need an account for uploading packages. If you do not want to
>> have to enter your user name or password interactively when you run
>> "cabal upload" then you can put them in the config file:
>>
>> username:
>> password:
>
> That sounds like a very bad idea, and should not be encouraged!
Agreed. However...
> Any compromised uploader machine with stored passwords can
> be used to upload compromising code, which will propagate to all
> downloaders.
It doesn't really matter whether a compromised machine stores a password or
not. If you upload anything using a compromised machine, the attacker
has the opportunity to learn your password.
Also, Hackage doesn't use SSL/TLS, so compromising a machine isn't necessary
for learning Hackage passwords.
--
Antti-Juhani Kaijanaho, Jyväskylä, Finland
http://antti-juhani.kaijanaho.fi/newblog/
http://www.flickr.com/photos/antti-juhani/
More information about the Haskell-Cafe
mailing list