Darrin Chandler
It's not obvious to me that adding a mirror makes the infrastructure more more insecure. Any particular concerns? (I hope I qualify as naïve here :-)
If you run a mirror people will come to you for software to run on their machines. I see a way to take advantage of that immediately.
My apologies for not expressing myself more clearly. What I mean is that currently, Hackage has a ton of users, each of whom may at whim upload a new version of any library. It's not clear to me that security is significantly worsened by adding a mirror. Assume I am out with ill intent: I can now either a) set up a mirror, replace some central library with my evil trojan, launch a DOS attack against hackage.haskell.org to get users to switch, and gloat in my secret castle as I await the fruits of my cunning schemes -- or I can b) just upload my trojan library to hackage directly. http://flaam.org/~jont/humor/uke48/Friends_of_Irony/image007.jpg -k -- If I haven't seen further, it is by standing in the footprints of giants