[Haskell-cafe] Offer to mirror Hackage

Vincent Hanquez tab at snarc.org
Wed Dec 8 10:31:31 CET 2010


  On 08/12/10 08:13, Ketil Malde wrote:
> My apologies for not expressing myself more clearly.  What I mean is
> that currently, Hackage has a ton of users, each of whom may at whim
> upload a new version of any library.  It's not clear to me that security
> is significantly worsened by adding a mirror.
>
> Assume I am out with ill intent:  I can now either a) set up a mirror,
> replace some central library with my evil trojan, launch a DOS attack
> against hackage.haskell.org to get users to switch, and gloat in my
> secret castle as I await the fruits of my cunning schemes -- or I can
> b) just upload my trojan library to hackage directly.
You have to start somewhere with security.

I think that an uploaded trojan library would be at least detectable as 
such, since the uploading user would have change (i'm not sure that what 
you had in mind ?).

Whereas on a mirror, it would be completely transparent to the users.

As a first step, having the hackage server and its users trusted, is 
hopefully reasonable. And then you can build up from there. This would 
be nice to be proactive before we actually detect such a thing, and we 
have to build a security infrastructure anyway ;)

-- 
Vincent



More information about the Haskell-Cafe mailing list