[Haskell-cafe] Offer to mirror Hackage

Ketil Malde ketil at malde.org
Wed Dec 8 09:13:19 CET 2010

Darrin Chandler <dwchandler at stilyagin.com> writes:

>> It's not obvious to me that adding a mirror makes the infrastructure
>> more more insecure.  Any particular concerns?  (I hope I qualify as
>> naïve here :-)

> If you run a mirror people will come to you for software to run on their
> machines. I see a way to take advantage of that immediately.

My apologies for not expressing myself more clearly.  What I mean is
that currently, Hackage has a ton of users, each of whom may at whim
upload a new version of any library.  It's not clear to me that security
is significantly worsened by adding a mirror.

Assume I am out with ill intent:  I can now either a) set up a mirror,
replace some central library with my evil trojan, launch a DOS attack
against hackage.haskell.org to get users to switch, and gloat in my
secret castle as I await the fruits of my cunning schemes -- or I can
b) just upload my trojan library to hackage directly.


If I haven't seen further, it is by standing in the footprints of giants

More information about the Haskell-Cafe mailing list