hackage, cabal-get, and security

Isaac Jones ijones at syntaxpolice.org
Tue May 10 16:27:07 EDT 2005

Bulat Ziganshin <bulatz at HotPOP.com> writes:

> Hello Isaac,
> Tuesday, May 10, 2005, 9:21:15 PM, you wrote:
> IJ> I'm working with Lemmih on the designs for Hackage and Cabal-Get.
> IJ> He's a real trooper, since I'm a total "customer" and have hardly
> IJ> written a line of code for these tools, but keep coming up with new
> IJ> requirements.
> how about taking Perl's CPAN and Ruby's Yaraa for a model?

We have, to some extent, and also Debian's model. 

> IJ> This actually already works :)
> i think, that many packages authors will prefer to hold archives on
> their own sites. and imho hackage must provide ability to just send
> description (package.cabal) to main site, in this case this file must
> include exact url to download full package. also .cabal file must
> include "home page" of package and email address of author

This is already actually implemented, but disabled.  I think it's best
to keep the packages on the Hackage site, at least at first, that way
we can guarentee that they will be available, (especially for package
dependencies), that the packager hasn't altered them without altering
the verison number (requiring rebuilds of other packages), stuff like

Cabal already has the fields that you are asking for.  We'll see how
people use things and update our ideas accordingly.

Also, the client can work with multiple servers.

> IJ> The big problem actually is that this is in no way secure, and just
> IJ> begging to be exploited.  Boo.
> imho best way to deal with this problem is "reserving" package names
> with password. after that, to change any information belonging to
> package, password must be supplied

So we're basically "reserving" package names with keys instead of

> IJ> 1) Generate a gnupg key. preferably get it signed by someone in my web
> IJ>    of trust (I'll try to organize a keysigning party at ICFP).
> yes, yes, we can also use our personal FBI numbers. anyway, someone not
> working in FBI can't be a good Haskeller :)

Are you saying that crypto-signing is overkill?  If so, I would have
to disagree, since many people will want to install packages as root.
I personally don't want to ask people to trust the good will of the
entire internet.



More information about the Libraries mailing list