[Haskell-cafe] Unmaintained packages and hackage upload rights

Gergely Risko gergely at risko.hu
Fri Jan 31 13:43:42 UTC 2014 

On Fri, 31 Jan 2014 14:21:10 +0100, Erik Hesselink <hesselink at gmail.com> writes:

> On Fri, Jan 31, 2014 at 1:55 PM, Gergely Risko <gergely at risko.hu> wrote:
>> On Fri, 31 Jan 2014 10:04:33 +0100, Erik Hesselink <hesselink at gmail.com> writes:
>>
>>> * User fixes a package, emails the maintainer.
>>> * No response: User emails trustees.
>>> * Trustees check the above conditions, and upload the new version.
>>
>> * Attacker "fixes the package", emails the maintainer with a typo in the
>>   email address (if the package is really unmaintained and the
>>   maintainer is unreachable this typo trick is not even necessary)
>> * No response: attacker emails trustees
>> * Attacker provides a github repository where the last commit is nice,
>>   but the attack is in previous commits that are converted from darcs to
>>   git(hub)
>
> Yes, if there's no original repo to compare against, you can probably
> fake a lot of stuff. I cannot see how to easily guard against this,
> without making the process more cumbersome. Perhaps it was wrong of me
> to mention security at all. But having the concept of maintainers (and
> thus *some* process for changing these) still makes a lot of sense to
> me with regard to 'ownership' of a package. Should we abolish that and
> go back to the situation of no ownership/maintainership checks? Or
> should we skip checking the source code?

My point was that social engineering and security is *hard*, *very
hard*.  Let me point out that stealing email addresses is also quite
easy if the owner doesn't think that his email is of very high
importance.  So even if you mail the correct address, maybe the attacker
will just circumvent the email for the time period needed.

So yes, I agree that 'ownership' is a good thing, but security is hard.
If someone wants to attack someone else through hackage, it's an easy
task.  Easy previously, bit harder now (but still easy).

On the other hand, the new process is totally demotivating and
counterproductive for the startup nature of Hackage and the Haskell
community.

I'd vote for the following:

  - anyone can upload anything,

  - but the libraries mailing list _AND_ the previous uploaders and
    previous maintainers/authors gets an email notification,

  - that email contains a hackage admin emergency email address for
    security issues or hostile takeovers (we will never receive any
    email there),

  - maintainers can opt-out from the "anyone can upload anything"
    process for their own packages (so we can have important packages
    like lens), but they have to be active at least by clicking a
    confirmation url in an email every 3 months or uploading new
    versions.

If you operate an organization with security needs and you download
directly from Hackage, you're doomed anyways.

Gergely

More information about the Haskell-Cafe mailing list