authentication for hackage uploads

Ross Paterson ross at
Wed Jan 3 13:03:03 EST 2007

We need some security on uploads to hackage, because Cabal packages
can run arbitrary code during the build process (and when in use).
I think that Apache authentication (as used in Trac, for example) would
be sufficient, but that the initial registration of submitters needs to
be done manually by a small group of people.  We need to know who we're
dealing with, and we need at least an email address to contact them.
Personally, I'd prefer that user names were real names in camel case,
but maybe I'm too old-fashioned.

Any views?

More information about the Libraries mailing list