Re: [Haskell-cafe] Unmaintained packages and hackage upload rights

31 Jan 2014


      On Fri, Jan 31, 2014 at 1:55 PM, Gergely Risko  wrote:
...
On Fri, 31 Jan 2014 10:04:33 +0100, Erik Hesselink  writes:
...
* User fixes a package, emails the maintainer.
* No response: User emails trustees.
* Trustees check the above conditions, and upload the new version.
* Attacker "fixes the package", emails the maintainer with a typo in the
  email address (if the package is really unmaintained and the
  maintainer is unreachable this typo trick is not even necessary)
* No response: attacker emails trustees
* Attacker provides a github repository where the last commit is nice,
  but the attack is in previous commits that are converted from darcs to
  git(hub)
Yes, if there's no original repo to compare against, you can probably
fake a lot of stuff. I cannot see how to easily guard against this,
without making the process more cumbersome. Perhaps it was wrong of me
to mention security at all. But having the concept of maintainers (and
thus *some* process for changing these) still makes a lot of sense to
me with regard to 'ownership' of a package. Should we abolish that and
go back to the situation of no ownership/maintainership checks? Or
should we skip checking the source code?

Regards,

Erik