Hackage is flooded with old package versions reuploads

[Duncan Coutts]

On Sun, 2015-01-18 at 15:05 -0800, Vincent Hanquez wrote:
> On 18/01/2015 09:56, kyra wrote:
> > Hi, guys,
> >
> > It looks old (and even ancient) versions of many packages gets 
> > uploaded to hackage over and over again in ever increasing amounts. 
> > The username of uploader for vast majority of these uploads is 
> > HerbertValerioRiedel.
> >
> > While this is harmless I wonder what idea stands behind this?

> This is not harmless. This is a security issue by itself, as now 
> packages get changes transparently given a url, you might have a 
> different package one day, which trigger hash check failure. or signed 
> tag verification failure.

Note that hackage never changes the content of package tarballs. The
checksums on those are stable. Guaranteed.

> This has also the effect of not changing the bounds in the repository, 
> so for example, next time you upload a tweak'ed packages, you 
> effectively revert the change done on hackage only.

Communicating changes upstream is certainly something we need to work on
to be able to use this as widely as it'd be helpful.

Up until recently we've only used the metadata editing feature with core
packages (or the maintainers themselves have done it). Recently Herbert
has been going a bit wider and if we are now running into issues of
communication with maintainers then I think this says that now is the
time to address that properly.

So that includes:
      * this discussion
      * wider communication with maintainers of just what is and is not
        possible (since we're actually deliberately rather conservative)
      * a proper notification and opt-in/opt-out system for maintainers
        to avail themselves of the helpful service that the trustees can
        provide.

Duncan