[Haskell-cafe] Do I need an account to report build of Hacakgepackages?

Antti-Juhani Kaijanaho antti-juhani at kaijanaho.fi
Sat Nov 22 10:45:18 EST 2008


On Sat, Nov 22, 2008 at 03:11:34PM -0000, Claus Reinke wrote:
>> You only need an account for uploading packages. If you do not want to
>> have to enter your user name or password interactively when you run
>> "cabal upload" then you can put them in the config file:
>>
>> username:
>> password:
>
> That sounds like a very bad idea, and should not be encouraged!

Agreed.  However...

> Any compromised uploader machine with stored passwords can
> be used to upload compromising code, which will propagate to all 
> downloaders.

It doesn't really matter whether a compromised machine stores a password or
not.  If you upload anything using a compromised machine, the attacker
has the opportunity to learn your password.

Also, Hackage doesn't use SSL/TLS, so compromising a machine isn't necessary
for learning Hackage passwords.

-- 
Antti-Juhani Kaijanaho, Jyväskylä, Finland
http://antti-juhani.kaijanaho.fi/newblog/
http://www.flickr.com/photos/antti-juhani/


More information about the Haskell-Cafe mailing list