[Haskell-cafe] [haskell-infrastructure] Improvements to package hosting and security

Michael Snoyman michael at snoyman.com
Wed Apr 15 06:47:14 UTC 2015

On Wed, Apr 15, 2015 at 9:14 AM Gershom B <gershomb at gmail.com> wrote:

> On April 15, 2015 at 1:57:07 AM, Michael Snoyman (michael at snoyman.com)
> wrote:
> > I'm not intimately familiar with the Hackage API, so I can't give a
> > point-by-point description of what information is and is not auditable.
> Okay, then why did you write "There's a lot of stuff going on inside of
> Hackage which we have no insight into or control over.”?
> I would very much like to have a clarifying discussion, as you are
> gesturing towards some issue we should think about. But it is difficult
> when you make broad claims, and are not able to explain what they mean.
> Cheers,
> Gershom

I think you're reading too much into my claims, and specifically on the
unimportant aspects of them. I can clarify these points, but I think
drilling down deeper is a waste of time. To answer this specific question:

* There's no clarity on *why* change was approved. I see that person X
uploaded a revision, but why was person X allowed to do so?
* I know of no way to see the history of authorization rules.
    * Was JohnDoe always a maintainer of foobar, or was that added at some
    * Who added this person as a maintainer?
    * Who gave this other person trustee power? Who took it away?

All of these things would come for free with an open system where
authorization rules are required to be encoded in a freely viewable file,
and signature are used to verify the data.

And to be clear, to make sure no one thinks I'm saying otherwise: I don't
think Hackage has done anything wrong by approaching things the way it has
until now. I probably would have come up with a very similar system. I'm
talking about new functionality and requirements that weren't stated for
the original system. Don't take this as "Hackage is bad," but rather, "time
to batten down the hatches."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150415/1dca2a04/attachment.html>

More information about the Haskell-Cafe mailing list