[Haskell-cafe] Offer to mirror Hackage

Paul Sargent psarge+haskell at gmail.com
Mon Dec 13 14:25:59 CET 2010

On Sat, Dec 11, 2010 at 19:51, Brandon S Allbery KF8NH
<allbery at ece.cmu.edu>wrote:

> Hash: SHA1
> On 12/9/10 16:04 , Richard O'Keefe wrote:
> > I thought "X is a mirror of Y" meant X would be a read-only replica of Y,
> > with some sort of protocol between X and Y to keep X up to date.
> > As long as the material from Y replicated at X is *supposed* to be
> > publicly available, I don't see a security problem here.  Only Y accepts
> > updates from outside, and it continues to do whatever authentication it
> > would do without a mirror.  The mirror X would *not* accept updates.
> The above assumes that the operator of the mirror is trustworthy.  It
> wouldn't be difficult for a hostile party to set up a mirror, but then
> modify the packages to include malware payloads --- if the packages aren't
> signed.  (Or even if they are signed if it's a sufficiently weak algorithm.
>  MD5 is already unusable for the purpose.)

How about, as a cheep and cheerful method to get up running. If the premise
is that the original server is trustworthy and the mirrors aren't, then:

1) Hash all packages on the original server.
2) Hash goes into a side car file (e.g. <packagename>.sha) that lives next
to the package
3) Modify cabal so that it can install from a mirror, but always gets the
hash from the original server.
4) Before install you check the hash is correct.

This gives you a few things:

1) Every package downloaded from a mirror is guarenteed to be the same as
downloading from the original server. This seems to avoid most peoples
security concern.
2) Although there's a transfer from the central server for every download,
it's low bandwidth, so he majority of the load is tranfered to the mirror.
3) If the central server goes down a user could elect to ignore the hash,
and still get the package.

If this isn't enough then you're down the road of a GPG based solution.
Setting up some signing keys for packages, distributing the public halves to
all clients, etc, etc... If that's the road you want I'd suggest looking at
how Debian solved the problem. <http://wiki.debian.org/SecureApt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20101213/708bf4e2/attachment.htm>

More information about the Haskell-Cafe mailing list