[Hackage] #239: security hole: anyone can replace a package
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Keywords: Difficulty: normal | Ghcversion: 6.8.2 Platform: | --------------------------------+------------------------------------------- It is possible for any registered user to upload a new version of a package without reference to the actual maintainer of the package. The new upload can even have the same name and version number as an existing package. Not only does this allow a malicious or misguided person to arbitrarily change or remove good code: there is also no notification on the webpage of the package about who uploaded it - only the author/maintainer fields of the cabal file. Needless to say, the latter may not be very happy that their name is associated with a corrupt package that they did not upload or authorise. Recently, a significant number of packages have been uploaded without their maintainers' knowledge, so this could be a real problem. A quick fix would be to list the uploader's name against every package, so that the paranoid user can make an informed decision about its status. Ultimately the decision about whether to trust a package is a social and community issue, but the lack of transparency in discovering relevant information is a technical problem that does have a solution. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by ross@soi.city.ac.uk): It used to reject repeat uploads, but people complained. It can easily be turned on again. Putting the uploader and upload date on the package page is also in the works. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:1 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by duncan): Replying to [comment:1 ross@soi.city.ac.uk]:
It used to reject repeat uploads, but people complained.
What were the complaints? People are not satisfied with just uploading a new version? Is there something else that would satisfy them perhaps, like allowing hiding old/obsolete/broken versions in the web UI. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:2 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by guest): The point of Malcolm's issue isn't uploading packages with the same version or not - that's irrelevant. It's someone who isn't the maintainer uploading the package - if they bump the version number they can still upload it. For what its worth, I want to upload packages with the same version, so please don't apply the rejecting patch. But I do want to stop anyone but me uploading packages for anything that I'm the maintainer of! -- Neil Mitchell -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:3 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by duncan): It's not a trivial balance about who should be allowed to upload a package. By uploading to a public repo package authors are surrendering a little bit of control. If people start relying on a package then we want that package to continue even if the original uploader goes AWOL. So it is not clear that we would always want to restrict uploads to be the declared maintainer (or whoever uploaded it first). One could imagine a system where there is a list of allowed uploaders for a package and existing people could add others to that set. But whatever we do like that it has to be overridable for the cases when a package maintainer disappears. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:4 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by guest): Yes, let it be overridden by a trusted admin type person. And let me say who I think can upload my package. But I shouldn't be allowed to upload a package on behalf of someone else without them knowing. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:5 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by ross@soi.city.ac.uk): Yes, the security model is basic: if you have been (manually) registered you can upload any package, but your actions are published and logged. It's not designed to cope with malice, except that anyone who misbehaves can be deregistered. I think that restricting duplicate uploads ought to be done before too long. And the uploader info is needed on the package page (as is other info). But those things won't increase security for people using cabal- install (because it picks the most recent version, and they don't see the package page), and they won't prevent non-maintainer uploads. To do that we'd need to record ownership for packages, with human authorization the first time each package is uploaded and more administrative intervention if a package becomes dormant. These things would be extra costs on both users and administrators. Maybe we'd need to formalize a dispute resolution procedure. There's also the question of whether maintainers have a right to control uploads of their packages that should be policed by hackagedb. Alternatively we could just put up some notices about upload etiquette and talk to each other. We need to weigh what security would actually be achieved by a particular setup against the costs. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:6 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
I think that restricting duplicate uploads ought to be done before too long. And the uploader info is needed on the package page (as is other info). But those things won't increase security for people using cabal- install (because it picks the most recent version, and they don't see the package page)
This in itself is something we should revisit at some point. If things are being managed more like a distribution we'd want the ability to designate some branch as the "current" or "best" version which may not necessarily be the highest version. For example Gentoo has two mechanisms, there is a way to designate packages as bleeding edge or tested and stable (and there is a protocol for transferring packages from one state to the other). Users can select whether they want to live on the bleeding edge, either globally or on a per-package basis. Additionally there is a "masking" system to prevent the package manager from considering certain versions at all. Within those constraints, the package manager tries to pick the highest version. Duncan
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: new Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Comment (by igloo): I'd like to vote for rejecting uploads of the same version: We should do everything we can to discourage people from distributing different things with the same version number, as it makes debugging problems etc much harder. On the security side, one thing we could do is to e-mail the maintainer address (in both the old and new cabal files) when an upload is done, including the username of the uploader and whether the maintainer address has changed. (I think we should do more as well, but this should be easy to set up and has no ongoing cost). -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:7 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
#239: security hole: anyone can replace a package --------------------------------+------------------------------------------- Reporter: guest | Owner: Type: defect | Status: closed Priority: normal | Milestone: Component: HackageDB website | Version: Severity: normal | Resolution: fixed Keywords: | Difficulty: normal Ghcversion: 6.8.2 | Platform: --------------------------------+------------------------------------------- Changes (by ross@soi.city.ac.uk): * status: new => closed * resolution: => fixed Comment: Package pages now show who uploaded and when. The upload page now contains a warning that re-uploading is about to disappear. I think that covers the concrete suggestions in the original report, and we don't have consensus for stronger enforcement. I've created ticket #243 for Ian's suggestion of notification emails. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/239#comment:8 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects
participants (2)
-
Duncan Coutts -
Hackage