[Haskell-cafe] Ticking time bomb

Twan van Laarhoven twanvl at gmail.com
Thu Jan 31 12:02:51 CET 2013


On 31/01/13 09:16, Ketil Malde wrote:
> *MY* proposal is that:
>
> 0. Hackage sends an email to the previous uploader whenever a new
>     version of a package is uploaded by somebody else.
>
> At least that way, I would be notified if it happened to my packages,
> and I would be able to check up on the situation, and rectify it.
>
> This is not to say that cryptographic signing is the wrong thing to do,
> but a very simple thing like this, which would probably take all of five
> minutes to implement, would reduce risk by a substantial amount.


That is an excellent idea, and it should be very simple to add.

Of course it doesn't stop all attacks, but it does stop the most obvious one. 
And it might also prevent some honest mistakes or errors in communication where 
someone uploads a forked package without permission.


Twan




More information about the Haskell-Cafe mailing list