[Haskell-cafe] Offer to mirror Hackage

C. McCann cam at uptoisomorphism.net
Wed Dec 8 16:29:43 CET 2010


On Wed, Dec 8, 2010 at 5:41 AM, Ketil Malde <ketil at malde.org> wrote:
> I'm a bit surprised to find that there seems to be a lot of opposition
> to this view, but perhaps the existing structure is more secure than I
> thought?

The difference is in the ability to influence other packages and
metadata, I think. You could upload a trojan to Hackage right now, but
who would ever install it? You could go to the effort of becoming
responsible for a package that people do use and then slip the trojan
in later, but the update to the package will still be visible
and--since this is now a package that people actually use--some
do-gooder will probably stumble on your nefarious plot in the process
of simple compatibility checking or such.

On the other hand, by running a malicious mirror, nothing stops you
from inserting (unsafePerformIO installRootKit) into the bytestring
package with no indication of a change.

All of this applies equally to Hackage as it stands, of course, the
difference being the implicit trust the community puts in the people
with administrative power over it. If someone else who already has
that degree of informal trust put up a mirror I don't think anyone
would have a problem using it.

As always security is a matter of degree, but Hackage is just
high-profile enough that a bit of care is probably warranted. And I
suspect that most worthwhile interim solutions to add a bit of trust
for mirrors would be almost as much effort as a complete solution.

- C.



More information about the Haskell-Cafe mailing list