On 01/31/2013 08:16 AM, Ketil Malde wrote:
*MY* proposal is that:
0. Hackage sends an email to the previous uploader whenever a new version of a package is uploaded by somebody else.
At least that way, I would be notified if it happened to my packages, and I would be able to check up on the situation, and rectify it.
you wouldn't in real cases, it just fix the most obvious and simple attack vector. but consider: * someone intercepting your upload http stream, and replacing dynamically your package. * someone gaining malicious access to hackage and planting stuff inside packages. * a rogue hackage admin. * a rogue hackage mirror admin. it's obviously less easy than just creating an account and uploading things on top of other packages, but i don't think we should feel safe if the previous maintainer received an email about the change. For example, previous maintainer might be away from email for a long time potentially leaving a trojan version for days/weeks, or changed email address.. -- Vincent