People are missing a key point: hackage packages are append only.  Any upload will not override any prior version, and a bad new version is quite easy to deprecate.  <div><br></div><div>I&#39;m not sure I&#39;m comfortable with the idea of trustees having super upload powers by default   (Speaking as the only person with trustee but not admin powers). Ie Id want a &quot;trustee&quot; upload to be a distinguished API thst I couldn&#39;t trip using cabal upload and if such a hypothetical power existed, I&#39;d probably solicit feedback from a few folks by emailing the libraries list and testing any such upload locally.  </div>
<div><br></div><div>That aside: why isn&#39;t anyone helping work on hackage-server? We really need a few Heros to help work on hackage server.   Otherwise it&#39;s kinda moot! :-)<span></span></div><div><br><br>On Friday, January 31, 2014, Brandon Allbery &lt;<a href="mailto:allbery.b@gmail.com">allbery.b@gmail.com</a>&gt; wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Jan 31, 2014 at 7:22 AM, Erik Hesselink <span dir="ltr">&lt;<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;hesselink@gmail.com&#39;);" target="_blank">hesselink@gmail.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Fri, Jan 31, 2014 at 1:12 PM, Roman Cheplyaka &lt;<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;roma@ro-che.info&#39;);" target="_blank">roma@ro-che.info</a>&gt; wrote:<br>


&gt;&gt; Again, do you have any suggestions to make things better?<br>
&gt;<br>
&gt; Here I merely want people to realize that there is a problem. How to<br>
&gt; solve it is a whole new discussion.<br>
<br>
</div>I think plenty of people (including me) have already agreed that there<br>
is a problem. So I don&#39;t understand the point of your message about<br>
security, then.<span><font color="#888888"><br></font></span></blockquote><div><br></div><div>It was a response to Evan Coskey, who introduced a bit of a diversion.</div><div><br></div></div>-- <br><div dir="ltr">
<div>brandon s allbery kf8nh                               sine nomine associates</div><div><a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;allbery.b@gmail.com&#39;);" target="_blank">allbery.b@gmail.com</a>                                  <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;ballbery@sinenomine.net&#39;);" target="_blank">ballbery@sinenomine.net</a></div>

<div>unix, openafs, kerberos, infrastructure, xmonad        <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></div></div>
</div></div>
</blockquote></div>