[Haskell-cafe] Ticking time bomb
tab at snarc.org
Thu Jan 31 09:35:43 CET 2013
On 01/31/2013 08:16 AM, Ketil Malde wrote:
> *MY* proposal is that:
> 0. Hackage sends an email to the previous uploader whenever a new
> version of a package is uploaded by somebody else.
> At least that way, I would be notified if it happened to my packages,
> and I would be able to check up on the situation, and rectify it.
you wouldn't in real cases, it just fix the most obvious and simple
attack vector. but consider:
* someone intercepting your upload http stream, and replacing
dynamically your package.
* someone gaining malicious access to hackage and planting stuff inside
* a rogue hackage admin.
* a rogue hackage mirror admin.
it's obviously less easy than just creating an account and uploading
things on top of other packages, but i don't think we should feel safe
if the previous maintainer received an email about the change. For
example, previous maintainer might be away from email for a long time
potentially leaving a trojan version for days/weeks, or changed email
More information about the Haskell-Cafe