[Haskell-cafe] Ticking time bomb
ketil at malde.org
Thu Jan 31 09:16:03 CET 2013
Ertugrul Söylemez <es at ertes.de> writes:
> People are using Hackage!
+1. And I keep telling people to use it. Sure, it'd be better if they
used .debs, .rpms, or whatever goes on Mac and Windows. But that would
mean I would need to build those packages, including maintaining systems
with the respective OSes. I haven't even managed to do it for the
systems I do use.
The most simple and obvious threat is here that some random evil person
gets a Hackage account, uploads a new version of a common package with a
trojan, and waits for unsuspecting users to download and install it.
> My proposal is:
> 1. Build the necessary machinery into Cabal to allow signing [...]
*MY* proposal is that:
0. Hackage sends an email to the previous uploader whenever a new
version of a package is uploaded by somebody else.
At least that way, I would be notified if it happened to my packages,
and I would be able to check up on the situation, and rectify it.
This is not to say that cryptographic signing is the wrong thing to do,
but a very simple thing like this, which would probably take all of five
minutes to implement, would reduce risk by a substantial amount.
If I haven't seen further, it is by standing in the footprints of giants
More information about the Haskell-Cafe