[Haskell-cafe] Ticking time bomb

Ketil Malde ketil at malde.org
Thu Jan 31 09:16:03 CET 2013

Ertugrul Söylemez <es at ertes.de> writes:

>     People are using Hackage!

+1. And I keep telling people to use it.  Sure, it'd be better if they
used .debs, .rpms, or whatever goes on Mac and Windows.  But that would
mean I would need to build those packages, including maintaining systems
with the respective OSes.  I haven't even managed to do it for the
systems I do use.

The most simple and obvious threat is here that some random evil person
gets a Hackage account, uploads a new version of a common package with a
trojan, and waits for unsuspecting users to download and install it.

> My proposal is:
>   1. Build the necessary machinery into Cabal to allow signing [...]

*MY* proposal is that:

0. Hackage sends an email to the previous uploader whenever a new
   version of a package is uploaded by somebody else.

At least that way, I would be notified if it happened to my packages,
and I would be able to check up on the situation, and rectify it.

This is not to say that cryptographic signing is the wrong thing to do,
but a very simple thing like this, which would probably take all of five
minutes to implement, would reduce risk by a substantial amount.

If I haven't seen further, it is by standing in the footprints of giants

More information about the Haskell-Cafe mailing list