#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by igloo): I'd like to vote for rejecting uploads of the same version: We should do everything we can to discourage people from distributing different things with the same version number, as it makes debugging problems etc much harder. On the security side, one thing we could do is to e-mail the maintainer address (in both the old and new cabal files) when an upload is done, including the username of the uploader and whether the maintainer address has changed. (I think we should do more as well, but this should be easy to set up and has no ongoing cost). -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:7 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects