[Haskell-cafe] Offer to mirror Hackage

Richard O'Keefe ok at cs.otago.ac.nz
Tue Dec 14 01:23:53 CET 2010 

On 14/12/2010, at 2:25 AM, Paul Sargent wrote:

> 
> 
> On Sat, Dec 11, 2010 at 19:51, Brandon S Allbery KF8NH <allbery at ece.cmu.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 12/9/10 16:04 , Richard O'Keefe wrote:
> > I thought "X is a mirror of Y" meant X would be a read-only replica of Y,
> > with some sort of protocol between X and Y to keep X up to date.
> > As long as the material from Y replicated at X is *supposed* to be
> > publicly available, I don't see a security problem here.  Only Y accepts
> > updates from outside, and it continues to do whatever authentication it
> > would do without a mirror.  The mirror X would *not* accept updates.
> 
> The above assumes that the operator of the mirror is trustworthy.  It
> wouldn't be difficult for a hostile party to set up a mirror, but then
> modify the packages to include malware payloads --- if the packages aren't
> signed.  (Or even if they are signed if it's a sufficiently weak algorithm.
>  MD5 is already unusable for the purpose.)

True, but right now we're vulnerable to man-in-the-middle attacks, DNS
spoofing, and a whole lot of other things.  If there is any way to be
sure that what I see when I visit hackage.haskell.org is the *real*
hackage, my browser doesn't know about it.
> 
> How about, as a cheep and cheerful method to get up running. If the premise is that the original server is trustworthy and the mirrors aren't, then:
> 
> 1) Hash all packages on the original server.
> 2) Hash goes into a side car file (e.g. <packagename>.sha) that lives next to the package
> 3) Modify cabal so that it can install from a mirror, but always gets the hash from the original server.
> 4) Before install you check the hash is correct.

This suffers from two problems.
A.  I am willing to grant that the original server is trustworthy,
    but "DNS lookup gives me the address of the original server and not a spoofer"
    seems every bit as dodgy an assumption as the trustworthiness of the mirrors.
B.  Wasn't the original motivation for wanting mirrors *availablity*?  If you have
    to get the hash from the original server and the original server is down, then
    having a mirror has done you no good at all.

Perhaps someone on this list understands what CRAN does could explain it here.
I know that the R install.packages(...) command goes through mirrors.

More information about the Haskell-Cafe mailing list