[Haskell-cafe] [haskell-infrastructure] Improvements to package hosting and security

Andrey Sverdlichenko blaze at ruddy.ru
Wed Apr 15 18:54:12 UTC 2015

I think this "public notepad" approach will make security situation
worse for most users. It is probably safe to assume that typical
developer do not have haskell friends who publish packages, especially
popular ones, never met anyone at or even attended ICFP and may have
very vague idea about GPG keys at all. In short, they just do not have
any basis to build trust model on.

Currently, at least some level of security is provided by restrictions
on who can upload new packages: if this package is there for a few
years, and new version is uploaded by the same maintainer, it gives
some assurance that new version does not upload all your files to
botnet and wipe out hard drive. There are several assumptions like
that maintainer password is not stolen, there is no MITM attack, etc,
but however weak this security is, these attacks are usually targeted
and at least they require some additional effort from villain.

Now, if I get it right, you want to allow anyone to upload foo-1.0.1
to hackage and let user sort it out if he trusts this update. It will
never work: for all we know about security, when asked "do you trust
this package's signature?" user will either get annoyed, shrug and
click "Yes", or if paranoid, get annoyed and go away. He is just does
not know enough to make decisions you are asking him to make. And
adding vector implementation with something malicious in it's build
script just became a matter of "cabal upload".
If you build such a system, you have to provide it with reasonable set
of defaults, and it is where "we are in business of key distribution"
thing raises its head again.

On Wed, Apr 15, 2015 at 7:17 AM, Mathieu Boespflug
<mathieu at fpcomplete.com> wrote:
>> In the future, we can at first optionally, and then later on a stricter basis encourage and then enforce signing. I think this is a good idea.
>> But, and here we apparently disagree completely, it seems to me that everything else is not and should not be the job of a centralized server.
> Actually, I think you and Michael are in violent *agreement* on this
> particular point. At the core of the gist that was pointed to earlier
> in this thread [1], is the idea that we should have some kind of
> central notepad, where anyone is allowed to scribble anything they
> like, even add pointers to packages that are completely broken, don't
> build, or are malicious trojan horses. Then, it's up to end users to
> filter out the wheat from the chaff. In particular, it's up to the
> user to pretend those scribbles that were added by untrusted sources
> were just never there, *according to the users own trust model*. The
> central notepad does not enforce any particular trust model. It just
> provides sufficient mechanism so that the information necessary to
> support common trust models, such as WoT of GPG keys, can be uploaded
> and/or pointed to and found.
> In this way, any trust model can be supported. We could refactor
> Hackage on top of this notepad, and have Hackage upload metadata about
> those scribbles that *it* thinks are legit, say because Hackage
> performed the scribble itself on behalf of some user, but only did so
> after authenticating said user, according to its own notion of
> authentication.
> Users are free to say "I trust any scribble to the notepad about any
> package that was added by an authenticated Hackage user". Or "I only
> trust scribbles from my Haskell friends whom I have met at ICFP and on
> that occasion exchanged keys". Or a union of both. Or anything else
> really.
> [1] https://gist.github.com/snoyberg/732aa47a5dd3864051b9
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe

More information about the Haskell-Cafe mailing list