[Haskell-cafe] Unmaintained packages and hackage upload rights

[Daniil Frumin]

On Fri, Jan 31, 2014 at 5:21 PM, Erik Hesselink <hesselink at gmail.com> wrote:
> On Fri, Jan 31, 2014 at 1:55 PM, Gergely Risko <gergely at risko.hu> wrote:
>> On Fri, 31 Jan 2014 10:04:33 +0100, Erik Hesselink <hesselink at gmail.com> writes:
>>
>>> * User fixes a package, emails the maintainer.
>>> * No response: User emails trustees.
>>> * Trustees check the above conditions, and upload the new version.
>>
>> * Attacker "fixes the package", emails the maintainer with a typo in the
>>   email address (if the package is really unmaintained and the
>>   maintainer is unreachable this typo trick is not even necessary)
>> * No response: attacker emails trustees
>> * Attacker provides a github repository where the last commit is nice,
>>   but the attack is in previous commits that are converted from darcs to
>>   git(hub)
>
> Yes, if there's no original repo to compare against, you can probably
> fake a lot of stuff. I cannot see how to easily guard against this,
> without making the process more cumbersome.

Well, surely we can (and should!) compare the given "new" repository
with the latest hackage version. Comparing against the canonical
repository can lead to problems if the canonical repository contains
commits that have not been released to Hackage but which introduce
breaking changes, for example.

> Perhaps it was wrong of me
> to mention security at all. But having the concept of maintainers (and
> thus *some* process for changing these) still makes a lot of sense to
> me with regard to 'ownership' of a package. Should we abolish that and
> go back to the situation of no ownership/maintainership checks? Or
> should we skip checking the source code?
>
> Regards,
>
> Erik
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe



-- 
Sincerely yours,
-- Daniil