[Haskell-cafe] Ticking time bomb

Vincent Hanquez tab at snarc.org
Thu Jan 31 09:35:43 CET 2013

On 01/31/2013 08:16 AM, Ketil Malde wrote:
> *MY* proposal is that:
> 0. Hackage sends an email to the previous uploader whenever a new
>     version of a package is uploaded by somebody else.
> At least that way, I would be notified if it happened to my packages,
> and I would be able to check up on the situation, and rectify it.
you wouldn't in real cases, it just fix the most obvious and simple 
attack vector. but consider:

* someone intercepting your upload http stream, and replacing 
dynamically your package.
* someone gaining malicious access to hackage and planting stuff inside 
* a rogue hackage admin.
* a rogue hackage mirror admin.

it's obviously less easy than just creating an account and uploading 
things on top of other packages, but i don't think we should feel safe 
if the previous maintainer received an email about the change. For 
example, previous maintainer might be away from email for a long time 
potentially leaving a trojan version for days/weeks, or changed email 


More information about the Haskell-Cafe mailing list