Re: [Haskell-cafe] Unmaintained packages and hackage upload rights

On Fri, Jan 31, 2014 at 5:21 PM, Erik Hesselink wrote:

On Fri, Jan 31, 2014 at 1:55 PM, Gergely Risko wrote:

...

On Fri, 31 Jan 2014 10:04:33 +0100, Erik Hesselink writes:

...

* User fixes a package, emails the maintainer. * No response: User emails trustees. * Trustees check the above conditions, and upload the new version.

* Attacker "fixes the package", emails the maintainer with a typo in the email address (if the package is really unmaintained and the maintainer is unreachable this typo trick is not even necessary) * No response: attacker emails trustees * Attacker provides a github repository where the last commit is nice, but the attack is in previous commits that are converted from darcs to git(hub)

Yes, if there's no original repo to compare against, you can probably fake a lot of stuff. I cannot see how to easily guard against this, without making the process more cumbersome.

Well, surely we can (and should!) compare the given "new" repository with the latest hackage version. Comparing against the canonical repository can lead to problems if the canonical repository contains commits that have not been released to Hackage but which introduce breaking changes, for example.

Perhaps it was wrong of me to mention security at all. But having the concept of maintainers (and thus *some* process for changing these) still makes a lot of sense to me with regard to 'ownership' of a package. Should we abolish that and go back to the situation of no ownership/maintainership checks? Or should we skip checking the source code?

Regards,

Erik _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

-- Sincerely yours, -- Daniil