Re: [Haskell-cafe] Offer to mirror Hackage

On 10/12/2010, at 10:50 AM, Riad S. Wahby wrote:

Richard O'Keefe wrote:

...

I thought "X is a mirror of Y" meant X would be a read-only replica of Y, with some sort of protocol between X and Y to keep X up to date. As long as the material from Y replicated at X is *supposed* to be publicly available, I don't see a security problem here. Only Y accepts updates from outside, and it continues to do whatever authentication it would do without a mirror. The mirror X would *not* accept updates.

At the very least, this assumes that you trust all the mirror operators.

Sure, I'm trustworthy, but how about those other guys? >:)

See the words "some sort of protocol between X and Y"? This means that Y has to be authenticated to X and X to Y and they use some sort of encryption scheme that prevents man-in-the-middle attacks. Right now, of course, nothing whatever stops someone building a 'robot' at X to visit Y periodically and update X; the missing piece is any kind of accreditation at Y.