[Haskell-cafe] Enhancing the security of hackage

Lally Singh lally.singh at gmail.com
Thu Dec 9 13:11:18 CET 2010

On Thu, Dec 9, 2010 at 7:04 AM, Ketil Malde <ketil at malde.org> wrote:
> Vincent Hanquez <tab at snarc.org> writes:
>> You might have misunderstood what I was talking about. I'm proposing
>> signing on the hackage server on reception of the package,
> Okay, fair enough.  You can't *enforce* this, of course, since I might
> work without general internet access but a local mirror, but you could
> require me to run 'cabal --dont-check-signatures' or similar, so this
> would still make a hostile-operated mirror less useful.
> OTOH, if I should suggest improving the security of Hackage, I would
> prioritize:
> a) email the maintainer whenever a new upload is accepted - preferably
>   with a notice about whether the build works or fails.  Mabye also
>   highlight the case when maintainer differs from uploader - if that
>   doesn't give a ton of false positives.
> b) email the *previous* maintainer when a new upload is accepted and the
>   maintainer field has changed.
> This way, somebody is likely to actually *notice* when some evil person
> uploads a trojan mtl or bytestring or whatever.  The downside is more
> mail, and the people who run Hackage have been wary about this.  So
> perhaps even this is on the wrong side of the cost/benefit fence.
> (People with admin privileges (staff or hackers) to hackage can of course
>  still work around everything - crypto signatures or email-schemes.)
> -k

Also, perhaps put the signatures on a separate machine from the one
containing .tar.gz.  For a 3rd party to corrupt a package, they'd need
to hack 2 machines.

More information about the Haskell-Cafe mailing list