[Haskell-cafe] Do I need an account to report build ofHacakgepackages?

Claus Reinke claus.reinke at talk21.com
Sat Nov 22 11:29:49 EST 2008


>> Any compromised uploader machine with stored passwords can
>> be used to upload compromising code, which will propagate to all 
>> downloaders.
> 
> It doesn't really matter whether a compromised machine stores a password or
> not.  If you upload anything using a compromised machine, the attacker
> has the opportunity to learn your password.

True. But storing the password means that the owner doesn't need to
initiate an upload, nor does the attacker need to capture keypresses,
listen on connections, identify uploads/logins/passwords in the captured
date, or do anything at all non-trivial, platform-specific or persistent 
(propagation could ignore the owner's machine).

> Also, Hackage doesn't use SSL/TLS, so compromising a machine isn't 
> necessary for learning Hackage passwords.

As Duncan says, an overall security review would be good, the sooner,
the better. But that shouldn't prevent incremental improvements whereever
they are found. One just needs to keep in mind that they make attacks
harder/less likely, not impossible.

Encouraging all users to keep an eye on the obvious holes may also make 
it more likely that the less obvious holes are noticed and addressed.

Claus



More information about the Haskell-Cafe mailing list