[Haskell-cafe] Enhancing the security of hackage
Lally Singh
lally.singh at gmail.com
Thu Dec 9 13:11:18 CET 2010
On Thu, Dec 9, 2010 at 7:04 AM, Ketil Malde <ketil at malde.org> wrote:
> Vincent Hanquez <tab at snarc.org> writes:
>
>> You might have misunderstood what I was talking about. I'm proposing
>> signing on the hackage server on reception of the package,
>
> Okay, fair enough. You can't *enforce* this, of course, since I might
> work without general internet access but a local mirror, but you could
> require me to run 'cabal --dont-check-signatures' or similar, so this
> would still make a hostile-operated mirror less useful.
>
> OTOH, if I should suggest improving the security of Hackage, I would
> prioritize:
>
> a) email the maintainer whenever a new upload is accepted - preferably
> with a notice about whether the build works or fails. Mabye also
> highlight the case when maintainer differs from uploader - if that
> doesn't give a ton of false positives.
>
> b) email the *previous* maintainer when a new upload is accepted and the
> maintainer field has changed.
>
> This way, somebody is likely to actually *notice* when some evil person
> uploads a trojan mtl or bytestring or whatever. The downside is more
> mail, and the people who run Hackage have been wary about this. So
> perhaps even this is on the wrong side of the cost/benefit fence.
>
> (People with admin privileges (staff or hackers) to hackage can of course
> still work around everything - crypto signatures or email-schemes.)
>
> -k
Also, perhaps put the signatures on a separate machine from the one
containing .tar.gz. For a 3rd party to corrupt a package, they'd need
to hack 2 machines.
More information about the Haskell-Cafe
mailing list