28 Oct
2012
28 Oct
'12
10:59 a.m.
On 10/28/2012 03:20 AM, Niklas Hambüchen wrote:
- abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) Does hackage at least store the logs of packages uploads? What's the reason or such a security model? I guess it was appropriate in the past when hackage was an experimental service, but now it's a standard way of distributing Haskell code. If anyone can update any package, we are waiting for the disaster. I have some haskell code I wrote myself running as root and these thoughts make me shiver.
Https is a must-have in current situation, but it's only part of a solution.