authentication for hackage uploads

[Ross Paterson]

We need some security on uploads to hackage, because Cabal packages
can run arbitrary code during the build process (and when in use).
I think that Apache authentication (as used in Trac, for example) would
be sufficient, but that the initial registration of submitters needs to
be done manually by a small group of people.  We need to know who we're
dealing with, and we need at least an email address to contact them.
Personally, I'd prefer that user names were real names in camel case,
but maybe I'm too old-fashioned.

Any views?