On Sat, Nov 22, 2008 at 03:11:34PM -0000, Claus Reinke wrote:
You only need an account for uploading packages. If you do not want to have to enter your user name or password interactively when you run "cabal upload" then you can put them in the config file:
username: password:
That sounds like a very bad idea, and should not be encouraged!
Agreed. However...
Any compromised uploader machine with stored passwords can be used to upload compromising code, which will propagate to all downloaders.
It doesn't really matter whether a compromised machine stores a password or not. If you upload anything using a compromised machine, the attacker has the opportunity to learn your password. Also, Hackage doesn't use SSL/TLS, so compromising a machine isn't necessary for learning Hackage passwords. -- Antti-Juhani Kaijanaho, Jyväskylä, Finland http://antti-juhani.kaijanaho.fi/newblog/ http://www.flickr.com/photos/antti-juhani/