[Haskell-cafe] [Haskell] ANN: Hackage Account Registration Changes

Niklas Hamb├╝chen mail at nh2.me
Fri Feb 23 14:42:11 UTC 2018


On 23/02/2018 00.27, Matthias Kilian wrote:
> Does it
> maen that one can't trust *any* package on hackage.haskell.org at
> least a little bit (based on trust between acknowledging persons
> and reputation) without reviewing the package's source code?

Yes, in fact you cannot trust any random code you download from the
Internet, Hackage is no exception.

Anybody could register and upload a package that runs some `runIO`
TemplateHaskell which deletes your entire home directory upon
compilation, no matter if they are verified as a human or not.

Other programming languages' ecosystems don't solve this problems
either; if we want it solved, we should layer a trusted curated package
repository on top where all code is reviewed by a set of trusted experts.


More information about the Haskell-Cafe mailing list