[Haskell-cafe] Offer to mirror Hackage
ok at cs.otago.ac.nz
Tue Dec 14 01:23:53 CET 2010
On 14/12/2010, at 2:25 AM, Paul Sargent wrote:
> On Sat, Dec 11, 2010 at 19:51, Brandon S Allbery KF8NH <allbery at ece.cmu.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 12/9/10 16:04 , Richard O'Keefe wrote:
> > I thought "X is a mirror of Y" meant X would be a read-only replica of Y,
> > with some sort of protocol between X and Y to keep X up to date.
> > As long as the material from Y replicated at X is *supposed* to be
> > publicly available, I don't see a security problem here. Only Y accepts
> > updates from outside, and it continues to do whatever authentication it
> > would do without a mirror. The mirror X would *not* accept updates.
> The above assumes that the operator of the mirror is trustworthy. It
> wouldn't be difficult for a hostile party to set up a mirror, but then
> modify the packages to include malware payloads --- if the packages aren't
> signed. (Or even if they are signed if it's a sufficiently weak algorithm.
> MD5 is already unusable for the purpose.)
True, but right now we're vulnerable to man-in-the-middle attacks, DNS
spoofing, and a whole lot of other things. If there is any way to be
sure that what I see when I visit hackage.haskell.org is the *real*
hackage, my browser doesn't know about it.
> How about, as a cheep and cheerful method to get up running. If the premise is that the original server is trustworthy and the mirrors aren't, then:
> 1) Hash all packages on the original server.
> 2) Hash goes into a side car file (e.g. <packagename>.sha) that lives next to the package
> 3) Modify cabal so that it can install from a mirror, but always gets the hash from the original server.
> 4) Before install you check the hash is correct.
This suffers from two problems.
A. I am willing to grant that the original server is trustworthy,
but "DNS lookup gives me the address of the original server and not a spoofer"
seems every bit as dodgy an assumption as the trustworthiness of the mirrors.
B. Wasn't the original motivation for wanting mirrors *availablity*? If you have
to get the hash from the original server and the original server is down, then
having a mirror has done you no good at all.
Perhaps someone on this list understands what CRAN does could explain it here.
I know that the R install.packages(...) command goes through mirrors.
More information about the Haskell-Cafe