Replying to [comment:10 guest]:
I worry about the idea of providing "security" or some notion of safety or trust only if one behaves "as expected". That seems slightly odd to me.
I think it's really essential. You are expecting for some reason that something on hackage is held to a higher security or QA standard than something else you randomly download off the web. What gives you that confidence? What makes you think other users have that confidence? Perhaps
As I said, a name can establish a reputation so there is value in
#214: Package security ----------------------------+----------------------------------------------- Reporter: duncan | Owner: Type: task | Status: new Priority: normal | Milestone: Component: miscellaneous | Version: 1.2.3.0 Severity: normal | Resolution: Keywords: | Difficulty: project(> week) Ghcversion: 6.8.2 | Platform: ----------------------------+----------------------------------------------- Comment (by guest): Replying to [comment:14 duncan]: that's the security problem. There's no security problem with `132.73.41.22/hax0r.sh` because there's no reason you would expect to trust it. I'm not sure we're disagreeing, I think we're just talking about different things. You say "We expect people to download packages they know of or have had recommended, not random packages." I'm trying to say that the only way in which code can migrate from "random package" status to "known and/or recommended" status is precisely by people downloading random packages. preventing well known names from being subverted. Yes, absolutely, except without the "well known" bit. -- matthew -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/214#comment:15 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects