[Haskell-cafe] Enhancing the security of hackage

Ketil Malde ketil at malde.org
Thu Dec 9 13:04:59 CET 2010

Vincent Hanquez <tab at snarc.org> writes:

> You might have misunderstood what I was talking about. I'm proposing
> signing on the hackage server on reception of the package,

Okay, fair enough.  You can't *enforce* this, of course, since I might
work without general internet access but a local mirror, but you could
require me to run 'cabal --dont-check-signatures' or similar, so this
would still make a hostile-operated mirror less useful.

OTOH, if I should suggest improving the security of Hackage, I would

a) email the maintainer whenever a new upload is accepted - preferably
   with a notice about whether the build works or fails.  Mabye also
   highlight the case when maintainer differs from uploader - if that
   doesn't give a ton of false positives.

b) email the *previous* maintainer when a new upload is accepted and the
   maintainer field has changed.

This way, somebody is likely to actually *notice* when some evil person
uploads a trojan mtl or bytestring or whatever.  The downside is more
mail, and the people who run Hackage have been wary about this.  So
perhaps even this is on the wrong side of the cost/benefit fence.

(People with admin privileges (staff or hackers) to hackage can of course
 still work around everything - crypto signatures or email-schemes.)

If I haven't seen further, it is by standing in the footprints of giants

More information about the Haskell-Cafe mailing list