hesselink at gmail.com
Wed Sep 5 21:22:45 CEST 2012
On Tue, Sep 4, 2012 at 1:35 AM, Leon Smith <leon.p.smith at gmail.com> wrote:
> On Mon, Sep 3, 2012 at 4:20 AM, Erik Hesselink <hesselink at gmail.com> wrote:
>> I think that the eventual situation should have per-package uploaders.
>> It just seems to dangerous for anyone to be able to upload any
>> package, especially heavily-used ones.
> I think you underestimate the power of non-technical security measures.
> It's not been a problem in the past, and Debian allows any committer to
> upload any package.
> The thing is, since we have an account approval process and that we have a
> full, public log of everything that everybody's uploaded, people are going
> to notice when somebody uploads something they shouldn't. We have
> accountability, unlike a typical FTP site or other mutable filesystem.
Yes, I think you are right that people will notice -- eventually. It
might take an hour, it might take a day, it might take a week. But say
that a malicious version of mtl was uploaded, that, say, copied some
private keys or password files at compile time using template haskell.
If you notice after a week, how many people and companies will have
> Also, remember Linus Torvald's justification for not having any commit bits
> in git; I think our situation is different but similar. If somebody does
> upload something they shouldn't, to what degree is it really a problem?
> Again, data is not lost, and we have accountability.
Linus has some peculiar views on some subjects that work well for the
linux kernel, but not necessarily for everybody. Note that github,
which really popularized git, does have per repository permissions,
given to the creator by default.
>> On the other hand, I see little
>> use for the global uploaders group. So I'd propose to eventually
>> switch from the current situation, and have only per-package
>> uploaders, and no global uploaders.
> As a LtU admin (something more of a nightclub bouncer, really), I dislike
> the current Hackage 2 user account process in a lot of respects. But the
> approval process has worked remarkably well for LtU, we haven't had a
> single spam message since requiring account approval before posting. (I
> hope I haven't failed to approve too many legitimate requests... but at the
> same time, if somebody really wants an account they can try again or
> contact Ehud.)
But the problem being solved at LtU is spam. What problem is the
hackage uploaders group solving? I don't think spammers are going to
upload spammy, well-formed Haskell packages. It might become more of a
problem in case we add commenting. But even then, wouldn't a captcha
or email confirmation work equally well? I feel that right now, we're
wasting an admittedly small amount of your and my time, and delaying
people who want to upload a package to hackage, for no good reason.
> Also, we haven't had a single problem that I'm aware of on Ross Paterson's
> watch as bouncer for Hackage 1. The point I'm trying to make is that a
> technical solution imposes additional administrative and technical overhead
> whereas social processes can also be very effective while also handling
> corner cases more gracefully.
I don't see how a technical solution (which is already implemented, by
the way) introduces *more* overhead than a manual solution. Also, the
fact that we haven't had any problems doesn't mean we won't in the
future. We don't have to wait before something goes wrong to fix it.
More information about the cabal-devel