Re: [Haskell-cafe] Offer to mirror Hackage

On 14/12/2010, at 2:25 AM, Paul Sargent wrote:

On Sat, Dec 11, 2010 at 19:51, Brandon S Allbery KF8NH wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 12/9/10 16:04 , Richard O'Keefe wrote:

...

I thought "X is a mirror of Y" meant X would be a read-only replica of Y, with some sort of protocol between X and Y to keep X up to date. As long as the material from Y replicated at X is *supposed* to be publicly available, I don't see a security problem here. Only Y accepts updates from outside, and it continues to do whatever authentication it would do without a mirror. The mirror X would *not* accept updates.

The above assumes that the operator of the mirror is trustworthy. It wouldn't be difficult for a hostile party to set up a mirror, but then modify the packages to include malware payloads --- if the packages aren't signed. (Or even if they are signed if it's a sufficiently weak algorithm. MD5 is already unusable for the purpose.)

True, but right now we're vulnerable to man-in-the-middle attacks, DNS spoofing, and a whole lot of other things. If there is any way to be sure that what I see when I visit hackage.haskell.org is the *real* hackage, my browser doesn't know about it.

How about, as a cheep and cheerful method to get up running. If the premise is that the original server is trustworthy and the mirrors aren't, then:

1) Hash all packages on the original server. 2) Hash goes into a side car file (e.g. <packagename>.sha) that lives next to the package 3) Modify cabal so that it can install from a mirror, but always gets the hash from the original server. 4) Before install you check the hash is correct.

This suffers from two problems. A. I am willing to grant that the original server is trustworthy, but "DNS lookup gives me the address of the original server and not a spoofer" seems every bit as dodgy an assumption as the trustworthiness of the mirrors. B. Wasn't the original motivation for wanting mirrors *availablity*? If you have to get the hash from the original server and the original server is down, then having a mirror has done you no good at all. Perhaps someone on this list understands what CRAN does could explain it here. I know that the R install.packages(...) command goes through mirrors.