[Haskell-cafe] Enhancing the security of hackage
ketil at malde.org
Thu Dec 9 13:04:59 CET 2010
Vincent Hanquez <tab at snarc.org> writes:
> You might have misunderstood what I was talking about. I'm proposing
> signing on the hackage server on reception of the package,
Okay, fair enough. You can't *enforce* this, of course, since I might
work without general internet access but a local mirror, but you could
require me to run 'cabal --dont-check-signatures' or similar, so this
would still make a hostile-operated mirror less useful.
OTOH, if I should suggest improving the security of Hackage, I would
a) email the maintainer whenever a new upload is accepted - preferably
with a notice about whether the build works or fails. Mabye also
highlight the case when maintainer differs from uploader - if that
doesn't give a ton of false positives.
b) email the *previous* maintainer when a new upload is accepted and the
maintainer field has changed.
This way, somebody is likely to actually *notice* when some evil person
uploads a trojan mtl or bytestring or whatever. The downside is more
mail, and the people who run Hackage have been wary about this. So
perhaps even this is on the wrong side of the cost/benefit fence.
(People with admin privileges (staff or hackers) to hackage can of course
still work around everything - crypto signatures or email-schemes.)
If I haven't seen further, it is by standing in the footprints of giants
More information about the Haskell-Cafe