authentication for hackage uploads
Sven Panne
sven.panne at aedion.de
Fri Jan 5 10:04:17 EST 2007
Am Mittwoch, 3. Januar 2007 23:46 schrieb Neil Mitchell:
> > We need some security on uploads to hackage, because Cabal packages
> > can run arbitrary code during the build process
>
> I think this should be strongly discouraged by Cabal, almost to the
> point where Setup files with custom code are disallowed by Hackage.
> Doing an attack on an in-use module is a lot more work than putting it
> in the configure script. [...]
There are already quite a few open build systems for "normal" (RPM, etc.)
packages out there, and the usual technology is to run everything in a chroot
cage. Would this be an option here, too? I have to admit that I currently do
not fully understand who will run which code when, etc. when we talk about
hackage.
Cheers,
S.
More information about the Libraries
mailing list