[Haskell-cafe] Unmaintained packages and hackage upload rights

Roman Cheplyaka roma at ro-che.info
Fri Jan 31 11:02:08 UTC 2014

So let's talk about security.

The current process protects against malicious parties rather poorly.
It protects against malicious takeover of a maintained package, but an
adversary could presumably find an unmaintained or semi-maintained yet
popular package (such as ansi-terminal) to pull off an attack.

The process does protect against *targeted* malicious takeover (i.e. an
adversary wants to inject malicious code in exactly the (maintained)
package K, and not just any moderately popular (but unmaintained)
package L). But that is not enough. So security and trust have to be
enforced by a different mechanism anyway.


* Evan Cofsky <evan at theunixman.com> [2014-01-31 06:11:52+0000]
> Hello,
> As you all know I'm new to Haskell, but not at all new to software
> communities or computer security. The Haskell community is maturing,
> and as part of that we will have to be able to ensure that social
> engineering attacks against our core infrastructure, such as the
> canonical package repository, are not trivial to pull off
> successfully.
> There are several instances just in the past week that have been
> making the rounds of basic impersonation attacks having disastrous
> consequences because people were quite willing to trust complete
> strangers, and of course we all know about the various problems faced
> by the Node and the Ruby communities and their package management
> systems, which were fully automated.
> I put a lot more faith into Haskell programs, probably naively so, but
> as people, though, we have to at least maintain a certain amount of
> healthy skepticism when it comes to responding to requests to take
> over projects, and without a doubt along with that skepticism comes
> friction and process. But these are absolutely essential to having a
> trustworthy resource in Hackage, and I think that far outweighs the
> ficticious freedoms offered by management by handshake and a smile,
> especially for such an important community resource.
> -- 
> Evan Cofsky <evan at theunixman.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20140131/66b47aae/attachment.sig>

More information about the Haskell-Cafe mailing list