[Haskell-cafe] [haskell-infrastructure] Improvements to package hosting and security

Michael Snoyman michael at snoyman.com
Wed Apr 15 05:57:06 UTC 2015


On Wed, Apr 15, 2015 at 8:50 AM Gershom B <gershomb at gmail.com> wrote:

> On April 15, 2015 at 1:43:42 AM, Michael Snoyman (michael at snoyman.com)
> wrote:
> > > There's a lot of stuff going on inside of Hackage which we have
> > no insight into or control over. The simplest is that we can't
> > review a log of revisions. Improving that is a good thing, and
> > I hope Hackage does so. Nonetheless, I'd still prefer a fully
> > open, auditable system, which isn't possible with "just tack
> > it on to Hackage.”
>
> Ok, I’m going to ignore everything else and just focus on this, because it
> seems to be the only thing related to hackage, and therefore should be
> thought of separately from everything else.
>
> What _else_ goes on that “we have no insight or control over”? Can we
> document the full list. Can we specify what we mean by insight? I take that
> to mean auditability. Can we specify what we mean by “control? (There I
> have no idea).
>
> (With regards to revision logs, revisions are still a relatively new
> feature and there’s lots of bits and bobs missing, and I agree this is low
> hanging fruit to improve).
>
>
>
I'm not intimately familiar with the Hackage API, so I can't give a
point-by-point description of what information is and is not auditable.
However, *all* of that is predicated on trusting Hackage to properly
authenticate users and be immune to attacks. For example, even if I can ask
Hackage who uploaded a certain package/version, there's no way I can audit
that that's actually the case, besides going and asking that person. And I
can't even do *that* reliably, since the only identification for an
uploader is the Hackage username, and I can't verify that someone actually
owns that username without asking for his/her password also.

One feature Hackage could add that would make the latter a bit better would
be to verify identity claims from people (ala OpenID), though that still
leaves us in the position of needing to fully trust Hackage.

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150415/b65994fa/attachment.html>


More information about the Haskell-Cafe mailing list