[Haskell-cafe] Unmaintained packages and hackage upload rights
Roman Cheplyaka
roma at ro-che.info
Fri Jan 31 12:12:33 UTC 2014
* Erik Hesselink <hesselink at gmail.com> [2014-01-31 12:45:56+0100]
> Security is never binary, and just because we're not guarding against
> all scenarios, doesn't mean we shouldn't guard against any.
It doesn't. It means, however, that we should at least ask ourselves
whether it's worth what we pay for it. And whether we can get better for
less.
> Again, do you have any suggestions to make things better?
Here I merely want people to realize that there is a problem. How to
solve it is a whole new discussion.
> On Fri, Jan 31, 2014 at 12:02 PM, Roman Cheplyaka <roma at ro-che.info> wrote:
> > So let's talk about security.
> >
> > The current process protects against malicious parties rather poorly.
> > It protects against malicious takeover of a maintained package, but an
> > adversary could presumably find an unmaintained or semi-maintained yet
> > popular package (such as ansi-terminal) to pull off an attack.
> >
> > The process does protect against *targeted* malicious takeover (i.e. an
> > adversary wants to inject malicious code in exactly the (maintained)
> > package K, and not just any moderately popular (but unmaintained)
> > package L). But that is not enough. So security and trust have to be
> > enforced by a different mechanism anyway.
> >
> > Roman
> >
> > * Evan Cofsky <evan at theunixman.com> [2014-01-31 06:11:52+0000]
> >> Hello,
> >>
> >> As you all know I'm new to Haskell, but not at all new to software
> >> communities or computer security. The Haskell community is maturing,
> >> and as part of that we will have to be able to ensure that social
> >> engineering attacks against our core infrastructure, such as the
> >> canonical package repository, are not trivial to pull off
> >> successfully.
> >>
> >> There are several instances just in the past week that have been
> >> making the rounds of basic impersonation attacks having disastrous
> >> consequences because people were quite willing to trust complete
> >> strangers, and of course we all know about the various problems faced
> >> by the Node and the Ruby communities and their package management
> >> systems, which were fully automated.
> >>
> >> I put a lot more faith into Haskell programs, probably naively so, but
> >> as people, though, we have to at least maintain a certain amount of
> >> healthy skepticism when it comes to responding to requests to take
> >> over projects, and without a doubt along with that skepticism comes
> >> friction and process. But these are absolutely essential to having a
> >> trustworthy resource in Hackage, and I think that far outweighs the
> >> ficticious freedoms offered by management by handshake and a smile,
> >> especially for such an important community resource.
> >>
> >> --
> >> Evan Cofsky <evan at theunixman.com>
> >
> >
> >
> > _______________________________________________
> > Haskell-Cafe mailing list
> > Haskell-Cafe at haskell.org
> > http://www.haskell.org/mailman/listinfo/haskell-cafe
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20140131/307c4069/attachment.sig>
More information about the Haskell-Cafe
mailing list