[Haskell-cafe] Offer to mirror Hackage
Vincent Hanquez
tab at snarc.org
Wed Dec 8 10:31:31 CET 2010
On 08/12/10 08:13, Ketil Malde wrote:
> My apologies for not expressing myself more clearly. What I mean is
> that currently, Hackage has a ton of users, each of whom may at whim
> upload a new version of any library. It's not clear to me that security
> is significantly worsened by adding a mirror.
>
> Assume I am out with ill intent: I can now either a) set up a mirror,
> replace some central library with my evil trojan, launch a DOS attack
> against hackage.haskell.org to get users to switch, and gloat in my
> secret castle as I await the fruits of my cunning schemes -- or I can
> b) just upload my trojan library to hackage directly.
You have to start somewhere with security.
I think that an uploaded trojan library would be at least detectable as
such, since the uploading user would have change (i'm not sure that what
you had in mind ?).
Whereas on a mirror, it would be completely transparent to the users.
As a first step, having the hackage server and its users trusted, is
hopefully reasonable. And then you can build up from there. This would
be nice to be proactive before we actually detect such a thing, and we
have to build a security infrastructure anyway ;)
--
Vincent
More information about the Haskell-Cafe
mailing list