[Haskell-cafe] SSL support for hackage and cabal

Gershom Bazerman gershomb at gmail.com
Sun Nov 3 19:00:45 UTC 2013

On various topics:

Security is a multifaceted beast with many related issues, depending on 
which attack vectors we're concerned about, with what degree of assurance.

Ultimately, we rely on trusted parties, and so of course don't have a 
defense (other than 'many eyes') if someone were to hand e.g. SPJ or 
Austin or the maintainer of a key package in the Platform a swiss bank 
account with some quantity of gold sufficient to induce them to put in a 
backdoor, or perhaps just steal their computers, passwords, and keys to 
put in a backdoor themselves.

That said, even if we consider that we 'trust' key individuals involved, 
as well as the security of their keys and identity, we still have other 
vectors to prevent. Here's my summary of what I understand (thanks to 
Duncan for helping me sort this out on IRC. Most insights his, all 
omissions mine).

1) Only those individuals who own packages should be able to upload 
their packages.
     A) This is solvable soon and directly by adding SSL to hackage, so 
that they can upload (via the web interface) in a secure manner.
     B) To upload securely via "cabal upload" we'll need cabal to have 
access to the right secure protocols.
     C) The "easy" answer here is to shell out to curl or the like, and 
place the obligation on the end user to have the right security-enabled 
binaries on their system.
     D) Other than that, we need to use e.g. "tls" and "tls-extras"
     E) To trust those, we should encourage outreach to the security 
community as a whole to examine, harden, etc. the code. It is in the 
interests of many, not just in the haskell world, to have more, 
different, and reliable open-source implementations of our open 
protocols for secure communication.
     F) Even if we don't 'trust' tls sufficiently to bless it for the 
platform, we can still bake it into platform-distributed cabal-install 
binaries, as better than nothing.

2) When I download a package, I should be able to trust that the package 
I download is one uploaded by a verified uploader.
     A) This is about signing and verification, not a secure protocol as 
     B) It requires a different design. The library support is easier 
than that for SSL. However, there are more options for "how verified" we 
want the chain of trust to be -- is it sufficient for hackage to sign 
the tarballs, or do we want to let users sign their own tarballs and 
allow verification of that, etc.

On a related topic:

On 11/3/13 1:19 PM, Niklas Hambüchen wrote:
> There seem to be a lot of volunteers around who would like to help 
> (for example, I have asked for this multiple times over the last years 
> and this thread shows that there are many more people interested in it).

What we need is not a 'drive by' volunteer just for one-time certificate 
deployment (which is easy). Volunteers for hackage and cabal to tackle 
the bigger technical issues described above would be much more 
important. Join the cabal-devel mailinglist, or hang out in #hackage on 
irc, or both.

On reducing the load on the core infra team, what would be best is 
people able to devote a consistent (even if small) amount of time on a 
prolonged basis. Someone familiar with various virtualization 
technologies and deployment on linux would be ideal. Join the 
#haskell-infrastructure channel on irc, the haskell-infrastructure list 
hosted by galois, email admin at haskell.org, or email me directly, and 
we'll see where you might fit in best. It's great if people want to jump 
in -- there's plenty of work to be done. Let's centralize what people 
have to offer, so that we can work most efficiently!


More information about the Haskell-Cafe mailing list