[Haskell-cafe] Unmaintained packages and hackage upload rights

Erik Hesselink hesselink at gmail.com
Fri Jan 31 11:45:56 UTC 2014

Security is never binary, and just because we're not guarding against
all scenarios, doesn't mean we shouldn't guard against any. Again, do
you have any suggestions to make things better?



On Fri, Jan 31, 2014 at 12:02 PM, Roman Cheplyaka <roma at ro-che.info> wrote:
> So let's talk about security.
> The current process protects against malicious parties rather poorly.
> It protects against malicious takeover of a maintained package, but an
> adversary could presumably find an unmaintained or semi-maintained yet
> popular package (such as ansi-terminal) to pull off an attack.
> The process does protect against *targeted* malicious takeover (i.e. an
> adversary wants to inject malicious code in exactly the (maintained)
> package K, and not just any moderately popular (but unmaintained)
> package L). But that is not enough. So security and trust have to be
> enforced by a different mechanism anyway.
> Roman
> * Evan Cofsky <evan at theunixman.com> [2014-01-31 06:11:52+0000]
>> Hello,
>> As you all know I'm new to Haskell, but not at all new to software
>> communities or computer security. The Haskell community is maturing,
>> and as part of that we will have to be able to ensure that social
>> engineering attacks against our core infrastructure, such as the
>> canonical package repository, are not trivial to pull off
>> successfully.
>> There are several instances just in the past week that have been
>> making the rounds of basic impersonation attacks having disastrous
>> consequences because people were quite willing to trust complete
>> strangers, and of course we all know about the various problems faced
>> by the Node and the Ruby communities and their package management
>> systems, which were fully automated.
>> I put a lot more faith into Haskell programs, probably naively so, but
>> as people, though, we have to at least maintain a certain amount of
>> healthy skepticism when it comes to responding to requests to take
>> over projects, and without a doubt along with that skepticism comes
>> friction and process. But these are absolutely essential to having a
>> trustworthy resource in Hackage, and I think that far outweighs the
>> ficticious freedoms offered by management by handshake and a smile,
>> especially for such an important community resource.
>> --
>> Evan Cofsky <evan at theunixman.com>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe

More information about the Haskell-Cafe mailing list