Hackage is flooded with old package versions reuploads

[Vincent Hanquez]

On 18/01/2015 09:56, kyra wrote:
> Hi, guys,
>
> It looks old (and even ancient) versions of many packages gets 
> uploaded to hackage over and over again in ever increasing amounts. 
> The username of uploader for vast majority of these uploads is 
> HerbertValerioRiedel.
>
> While this is harmless I wonder what idea stands behind this?
This is not harmless. This is a security issue by itself, as now 
packages get changes transparently given a url, you might have a 
different package one day, which trigger hash check failure. or signed 
tag verification failure.

This has also the effect of not changing the bounds in the repository, 
so for example, next time you upload a tweak'ed packages, you 
effectively revert the change done on hackage only.

This is also done without the consent of the maintainer of a given 
package, nor that the maintainer is actually notified when that happens, 
or allow to prevent it happening. This is pretty big start from the 
other similar policy for taking over packages, that insist on a very 
long period of repeated communication with the author and then the 
community.

The whole thing is at best ill advised,
-- 
Vincent