Re: [Haskell-cafe] Package Takeover: `toml`

On Mar 12, 2021, at 2:42 PM, Henning Thielemann wrote:

I don't think there is any need for a public announcment if a package creator hands over maintainership to another developer.

Well, there have been some rather unfortunate transfers of control of widely used packages (in other ecosystems than hackage) to shady operators who made malicious changes. This is more directly a concern for browser plugins, or "apps", but also applies to Python, Ruby, Node and ultimately even Haskell. Supply chain security is a hard problem, and any transparency in changes of control would be great. If release tarballs are digitally signed, and contributors can be expected to not hand over their own keys when transferring control, but rather to arrange for new keys to be authorised to continue to make releases, then such changes of control could be noted on hackage as a change in which key signed a new release. Cautious users might pin the release keys trusted to sign a given dependency, and could then review and approve imports of these if signed by not yet trusted keys. There could even be a role for trusted reviewers (and ideally a means to compensate them for their work). I did mention this is a hard problem... -- Viktor.