[Haskell-cafe] Unmaintained packages and hackage upload rights
hesselink at gmail.com
Fri Jan 31 13:21:10 UTC 2014
On Fri, Jan 31, 2014 at 1:55 PM, Gergely Risko <gergely at risko.hu> wrote:
> On Fri, 31 Jan 2014 10:04:33 +0100, Erik Hesselink <hesselink at gmail.com> writes:
>> * User fixes a package, emails the maintainer.
>> * No response: User emails trustees.
>> * Trustees check the above conditions, and upload the new version.
> * Attacker "fixes the package", emails the maintainer with a typo in the
> email address (if the package is really unmaintained and the
> maintainer is unreachable this typo trick is not even necessary)
> * No response: attacker emails trustees
> * Attacker provides a github repository where the last commit is nice,
> but the attack is in previous commits that are converted from darcs to
Yes, if there's no original repo to compare against, you can probably
fake a lot of stuff. I cannot see how to easily guard against this,
without making the process more cumbersome. Perhaps it was wrong of me
to mention security at all. But having the concept of maintainers (and
thus *some* process for changing these) still makes a lot of sense to
me with regard to 'ownership' of a package. Should we abolish that and
go back to the situation of no ownership/maintainership checks? Or
should we skip checking the source code?
More information about the Haskell-Cafe