authentication for hackage uploads

Sven Panne sven.panne at aedion.de
Fri Jan 5 10:04:17 EST 2007


Am Mittwoch, 3. Januar 2007 23:46 schrieb Neil Mitchell:
> > We need some security on uploads to hackage, because Cabal packages
> > can run arbitrary code during the build process
>
> I think this should be strongly discouraged by Cabal, almost to the
> point where Setup files with custom code are disallowed by Hackage.
> Doing an attack on an in-use module is a lot more work than putting it
> in the configure script. [...]

There are already quite a few open build systems for "normal" (RPM, etc.) 
packages out there, and the usual technology is to run everything in a chroot 
cage. Would this be an option here, too? I have to admit that I currently do 
not fully understand who will run which code when, etc. when we talk about 
hackage.

Cheers,
   S.




More information about the Libraries mailing list