[Haskell-cafe] Improvements to package hosting and security

Michael Snoyman michael at snoyman.com
Fri Apr 17 05:04:37 UTC 2015

On Fri, Apr 17, 2015 at 7:51 AM Bardur Arantsson <spam at scientician.net>

> On 17-04-2015 05:34, Michael Snoyman wrote:
> >> I wrote up a strawman proposal last week[5] which clearly needs work to
> > be a realistic option. My question is: are people interested in moving
> > forward on this? If there's no interest, and everyone is satisfied with
> > continuing with the current Hackage-central-authority, then we can
> proceed
> > with having reliable and secure services built around Hackage. But if
> > others- like me- would like to see a more secure system built from the
> > ground up, please say so and let's continue that conversation.
> You say "more secure". Against what? What's the threat model? (Again,
> sorry if I missed it, it's been a long thread.)
> Yes, I'd definitely like a more "secure system" against many/all of the
> threats idenfied in e.g. TUF (perhaps even more, if realistic), but it's
> hard to evaluate a proposal without an explicitly spelled out threat
> model. This where adopting bits of TUF seems a lot more appealing than a
> home-brewed model, at least if we can remain confident that those bits
> actually mitigates the threats that we want covered.
Instead of copy-pasting bits and pieces of my initial email until the whole
thing makes sense, I'll just link to the initial email, which lists some of
the security vulnerabilities and gives my disclaimers about my proposal
just being a strawman:


Note that I never intended that list to be exhaustive at all! The point is
to see if others have security concerns along these lines as well, seems to
be the case. In this thread others and myself have raised a number of other
security threats. TUF raises even additional threads.

I've asked Duncan[1] about how TUF would address some specific concerns I
raised (such as Hackage server being compromised), but I haven't heard a
response. My guess is that TUF will ended up being a necessary but
insufficient part of a solution here, but I unfortunately don't know enough
about Well Typed's intended implementation to say more than that.


[1] Both in the mailing list and on Reddit:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150417/d57c0a1f/attachment.html>

More information about the Haskell-Cafe mailing list