#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by ross@soi.city.ac.uk): Yes, the security model is basic: if you have been (manually) registered you can upload any package, but your actions are published and logged. It's not designed to cope with malice, except that anyone who misbehaves can be deregistered. I think that restricting duplicate uploads ought to be done before too long. And the uploader info is needed on the package page (as is other info). But those things won't increase security for people using cabal- install (because it picks the most recent version, and they don't see the package page), and they won't prevent non-maintainer uploads. To do that we'd need to record ownership for packages, with human authorization the first time each package is uploaded and more administrative intervention if a package becomes dormant. These things would be extra costs on both users and administrators. Maybe we'd need to formalize a dispute resolution procedure. There's also the question of whether maintainers have a right to control uploads of their packages that should be policed by hackagedb. Alternatively we could just put up some notices about upload etiquette and talk to each other. We need to weigh what security would actually be achieved by a particular setup against the costs. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:6 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects