[Haskell-cafe] [Security] Put haskell.org on https
akamaus at gmail.com
Sun Oct 28 11:59:00 CET 2012
On 10/28/2012 03:20 AM, Niklas Hambüchen wrote:
> - abuse your hackage account and override arbitrary packages
> (especially since hackage allows everybody to override everything)
Does hackage at least store the logs of packages uploads? What's the
reason or such a security model? I guess it was appropriate in the past
when hackage was an experimental service, but now it's a standard way of
distributing Haskell code. If anyone can update any package, we are
waiting for the disaster. I have some haskell code I wrote myself
running as root and these thoughts make me shiver.
Https is a must-have in current situation, but it's only part of a solution.
More information about the Haskell-Cafe