On 3 July 2012 03:14, Duncan Coutts
On Mon, 2012-07-02 at 12:25 +0100, Ian Lynagh wrote:
Hi all,
I'm planning to spend some time, on behalf of the Industrial Haskell Group, working on Hackage 2 in the coming weeks.
[..]
So that leaves 3 tickets as blockers:
#911: We need to do something here. With Hackage 1, it takes manual approval before you can upload packages, and at the very least Hackage 2 should match that. I have the impression that that is already possible (by restricting package upload to a group, and requiring accounts to be added to that group by an admin), but I haven't confirmed that yet.
Right, I don't think we need to do any more than make sure uploaders are in the appropriate group. It *should* currently be the case that only accounts in the package group can upload, and the first time you upload a new named package then you get added as the initial member of the new package group.
Currently for testing purposes anyone can register an account and can then upload new packages. We have two options here: restrict account creation to be manual like in hackage 1, or add a new system-wide "uploaders" group for accounts that are authorised to upload new packages and have a manual admin step to add people to the uploaders group. The latter will allow for registered users who are not uploaders which would be useful later to allow things like non-anonymous commenting etc.
I think we should avoid manual approvals; I know several people who have excellent, working, used in-production, cabalified Haskell code but for whatever reason they are reluctant to request an account -- however they have code on github. Allowing random users to upload code only really becomes a problem when poorly named or insecure packages pollute the global namespace; perhaps admin approval should only be on global naming, not on account creation and upload. Conrad.
On Mon, Jul 2, 2012 at 4:07 PM, Conrad Parker
I think we should avoid manual approvals; I know several people who have excellent, working, used in-production, cabalified Haskell code but for whatever reason they are reluctant to request an account -- however they have code on github.
A key difference of course being that github has a two-level namespace for projects. Allowing random users to upload code only really becomes a problem
when poorly named or insecure packages pollute the global namespace;
Just to be clear: this is already a problem. A substantial amount of the stuff on Hackage today is junk. I don't actually mind there being crufty packages, but their number undoubtedly makes it very hard to find packages that are genuinely interesting or useful. And then there's the compounding factor of a package being listed under every category that its author tagged it with. Since we lack any means of filtering, searching for, or nominating "good" packages, it's kind of a backhanded blessing for now that more people can't, or choose not to, upload packages.
participants (2)
-
Bryan O'Sullivan -
Conrad Parker