#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by duncan): It's not a trivial balance about who should be allowed to upload a package. By uploading to a public repo package authors are surrendering a little bit of control. If people start relying on a package then we want that package to continue even if the original uploader goes AWOL. So it is not clear that we would always want to restrict uploads to be the declared maintainer (or whoever uploaded it first). One could imagine a system where there is a list of allowed uploaders for a package and existing people could add others to that set. But whatever we do like that it has to be overridable for the cases when a package maintainer disappears. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:4 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects