[Haskell-cafe] Improvements to package hosting and security

Bardur Arantsson spam at scientician.net
Fri Apr 17 05:38:24 UTC 2015

On 17-04-2015 07:04, Michael Snoyman wrote:

> https://groups.google.com/d/msg/commercialhaskell/PTbC0p_YFvk/8XqS8wDxgqEJ
> Note that I never intended that list to be exhaustive at all! The point is
> to see if others have security concerns along these lines as well, seems to
> be the case.

Ok, that's fair enough. And: yes! :)

FWIW, I think what people have been asking for is exactly *details*, so
that the proposal can be evaluated properly. (I realize that this is a
non-trivial amount of work.). For example, a good start would be to
evaluate your strawman proposal against the TUF criteria and see where
it needs to be fleshed out/beefed up, etc.

> I've asked Duncan[1] about how TUF would address some specific concerns I
> raised (such as Hackage server being compromised), but I haven't heard a
> response. My guess is that TUF will ended up being a necessary but
> insufficient part of a solution here, but I unfortunately don't know enough
> about Well Typed's intended implementation to say more than that.
> Michael
> [1] Both in the mailing list and on Reddit:
> http://www.reddit.com/r/haskell/comments/32sezy/ongoing_work_to_improve_hackage_security/cqeco3q

I'm reminded of SPJs usual request for a wiki page *with details*
discussing pros/cons of all the proposals for new GHC features. Might it
be time to start such a page? (Of course this is not meant to imply any
particular *rush* per se, but this is obviously becoming a growing
concern in the community.)


More information about the Haskell-Cafe mailing list