[Haskell-cafe] [Security] Put haskell.org on https

Dmitry Vyal akamaus at gmail.com
Sun Oct 28 11:59:00 CET 2012

On 10/28/2012 03:20 AM, Niklas Hambüchen wrote:
> - abuse your hackage account and override arbitrary packages
>    (especially since hackage allows everybody to override everything)
Does hackage at least store the logs of packages uploads? What's the 
reason or such a security model? I guess it was appropriate in the past 
when hackage was an experimental service, but now it's a standard way of 
distributing Haskell code. If anyone can update any package, we are 
waiting for the disaster. I have some haskell code I wrote myself 
running as root and these thoughts make me shiver.

Https is a must-have in current situation, but it's only part of a solution.

More information about the Haskell-Cafe mailing list