[Haskell-cafe] Automating Hackage accounts

[Tobias Dammers]

On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:
> On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <tdammers at gmail.com> wrote:
> > On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
> >> Could we add an HTML form for creating new Hackage accounts? Right now, our
> >> community is small enough that emailing ross at soi.city.ac.uk and waiting for
> >> a manual response isn't too bad of a problem, but as we grow, it would be
> >> nice for these sorts of things to be handled by a server, like with
> >> RubyGems and NPM.
> >
> > IMHO, a more pressing issue is SSL uploads and package signing. As it
> > stands, anyone with a Hackage account can upload a new version of any
> > given package, and some wire-sniffing is enough to reveal a legit user's
> > password.
> 
> I'd try to solve the latest two things first before going into
> creating a specific form.
> 
> On the other hand, maybe we can rig something up with Yesod or similar
> to solve all three points at the same time. I'm busy now with my
> masters disertation but I can attempt something in a month if it seems
> ok and no one else does it before that date.

IIRC, there have been previous attempts, or at least a discussion. I
can't remember what the result was, though.

Either way, it'll take more than just a Yesod web application built over
a weekend; signed packages would require package authors to, well, sign,
so cabal would need features for that; you'd also have to extend it to
*check* those signatures, and give the user options to refuse or allow
unsigned packages. SSL should be relatively simple though, mostly a
matter of updating cabal's configuration and installing a suitable
certificate on the hackage server.