[Haskell-cafe] Offer to mirror Hackage
Ketil Malde
ketil at malde.org
Wed Dec 8 09:13:19 CET 2010
Darrin Chandler <dwchandler at stilyagin.com> writes:
>> It's not obvious to me that adding a mirror makes the infrastructure
>> more more insecure. Any particular concerns? (I hope I qualify as
>> naïve here :-)
> If you run a mirror people will come to you for software to run on their
> machines. I see a way to take advantage of that immediately.
My apologies for not expressing myself more clearly. What I mean is
that currently, Hackage has a ton of users, each of whom may at whim
upload a new version of any library. It's not clear to me that security
is significantly worsened by adding a mirror.
Assume I am out with ill intent: I can now either a) set up a mirror,
replace some central library with my evil trojan, launch a DOS attack
against hackage.haskell.org to get users to switch, and gloat in my
secret castle as I await the fruits of my cunning schemes -- or I can
b) just upload my trojan library to hackage directly.
http://flaam.org/~jont/humor/uke48/Friends_of_Irony/image007.jpg
-k
--
If I haven't seen further, it is by standing in the footprints of giants
More information about the Haskell-Cafe
mailing list