I think you underestimate the power of non-technical security measures.   It's not been a problem in the past,  and Debian allows any committer to upload any package.

The thing is,  since we have an account approval process and that we have a full, public log of everything that everybody's uploaded,   people are going to notice when somebody uploads something they shouldn't.   We have accountability,  unlike a typical FTP site or other mutable filesystem.

Also,  remember Linus Torvald's justification for not having any commit bits in git;  I think our situation is different but similar.    If somebody does upload something they shouldn't,  to what degree is it really a problem?   Again,  data is not lost,  and we have accountability.

 

As a LtU admin (something more of a nightclub bouncer, really),  I dislike the current Hackage 2 user account process in a lot of respects.   But the approval process has worked remarkably well for LtU,  we haven't had a single spam message since requiring account approval before posting.   (I hope I haven't failed to approve too many legitimate requests... but at the same time,  if somebody really wants an account they can try again or contact Ehud.)

Also,  we haven't had a single problem that I'm aware of on Ross Paterson's watch as bouncer for Hackage 1.    The point I'm trying to make is that a technical solution imposes additional administrative and technical overhead whereas social processes can also be very effective while also handling corner cases more gracefully.

I've been working on a very rough sketch of a web application for the workflow I'd like to have in this account request/approval process.  Hopefully I'll have some code to show soonish, but I have a lot on my plate this week.

Best,

Leon