I think that restricting duplicate uploads ought to be done before too long. And the uploader info is needed on the package page (as is other info). But those things won't increase security for people using cabal- install (because it picks the most recent version, and they don't see the package page)
This in itself is something we should revisit at some point. If things are being managed more like a distribution we'd want the ability to designate some branch as the "current" or "best" version which may not necessarily be the highest version. For example Gentoo has two mechanisms, there is a way to designate packages as bleeding edge or tested and stable (and there is a protocol for transferring packages from one state to the other). Users can select whether they want to live on the bleeding edge, either globally or on a per-package basis. Additionally there is a "masking" system to prevent the package manager from considering certain versions at all. Within those constraints, the package manager tries to pick the highest version. Duncan