[Haskell-cafe] Unmaintained packages and hackage upload rights

[Evan Cofsky]

Hello,

As you all know I'm new to Haskell, but not at all new to software
communities or computer security. The Haskell community is maturing,
and as part of that we will have to be able to ensure that social
engineering attacks against our core infrastructure, such as the
canonical package repository, are not trivial to pull off
successfully.

There are several instances just in the past week that have been
making the rounds of basic impersonation attacks having disastrous
consequences because people were quite willing to trust complete
strangers, and of course we all know about the various problems faced
by the Node and the Ruby communities and their package management
systems, which were fully automated.

I put a lot more faith into Haskell programs, probably naively so, but
as people, though, we have to at least maintain a certain amount of
healthy skepticism when it comes to responding to requests to take
over projects, and without a doubt along with that skepticism comes
friction and process. But these are absolutely essential to having a
trustworthy resource in Hackage, and I think that far outweighs the
ficticious freedoms offered by management by handshake and a smile,
especially for such an important community resource.

-- 
Evan Cofsky <evan at theunixman.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20140131/0311e80e/attachment.sig>