Automating Hackage accounts

newer
Haskell for Programmers Workshop:...

Andrew Pennebaker

13 Jun 2013 13 Jun '13

9:44 a.m.

Could we add an HTML form for creating new Hackage accounts? Right now, our community is small enough that emailing ross@soi.city.ac.uk and waiting for a manual response isn't too bad of a problem, but as we grow, it would be nice for these sorts of things to be handled by a server, like with RubyGems and NPM. -- Cheers, Andrew Pennebaker www.yellosoft.us

Attachments:

attachment.html (text/html — 560 bytes)

Show replies by date

Tobias Dammers

13 Jun 13 Jun

10:02 a.m.

On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:

...

Could we add an HTML form for creating new Hackage accounts? Right now, our community is small enough that emailing ross@soi.city.ac.uk and waiting for a manual response isn't too bad of a problem, but as we grow, it would be nice for these sorts of things to be handled by a server, like with RubyGems and NPM.

IMHO, a more pressing issue is SSL uploads and package signing. As it stands, anyone with a Hackage account can upload a new version of any given package, and some wire-sniffing is enough to reveal a legit user's password.

Mihai Maruseac

10:07 a.m.

On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers wrote:

...

On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:

...
Could we add an HTML form for creating new Hackage accounts? Right now, our community is small enough that emailing ross@soi.city.ac.uk and waiting for a manual response isn't too bad of a problem, but as we grow, it would be nice for these sorts of things to be handled by a server, like with RubyGems and NPM.

IMHO, a more pressing issue is SSL uploads and package signing. As it stands, anyone with a Hackage account can upload a new version of any given package, and some wire-sniffing is enough to reveal a legit user's password.

I'd try to solve the latest two things first before going into creating a specific form. On the other hand, maybe we can rig something up with Yesod or similar to solve all three points at the same time. I'm busy now with my masters disertation but I can attempt something in a month if it seems ok and no one else does it before that date. -- MM "All we have to decide is what we do with the time that is given to us"

Tobias Dammers

10:22 a.m.

On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:

...

On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers wrote:

...
On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:

...
Could we add an HTML form for creating new Hackage accounts? Right now, our community is small enough that emailing ross@soi.city.ac.uk and waiting for a manual response isn't too bad of a problem, but as we grow, it would be nice for these sorts of things to be handled by a server, like with RubyGems and NPM.

IMHO, a more pressing issue is SSL uploads and package signing. As it stands, anyone with a Hackage account can upload a new version of any given package, and some wire-sniffing is enough to reveal a legit user's password.

I'd try to solve the latest two things first before going into creating a specific form.

On the other hand, maybe we can rig something up with Yesod or similar to solve all three points at the same time. I'm busy now with my masters disertation but I can attempt something in a month if it seems ok and no one else does it before that date.

IIRC, there have been previous attempts, or at least a discussion. I can't remember what the result was, though. Either way, it'll take more than just a Yesod web application built over a weekend; signed packages would require package authors to, well, sign, so cabal would need features for that; you'd also have to extend it to *check* those signatures, and give the user options to refuse or allow unsigned packages. SSL should be relatively simple though, mostly a matter of updating cabal's configuration and installing a suitable certificate on the hackage server.

Erik Hesselink

10:38 a.m.

On Thu, Jun 13, 2013 at 4:22 PM, Tobias Dammers wrote:

...

On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:

...
On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers wrote:

...
On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:

...
Could we add an HTML form for creating new Hackage accounts? Right now, our community is small enough that emailing ross@soi.city.ac.uk and waiting for a manual response isn't too bad of a problem, but as we grow, it would be nice for these sorts of things to be handled by a server, like with RubyGems and NPM.

IMHO, a more pressing issue is SSL uploads and package signing. As it stands, anyone with a Hackage account can upload a new version of any given package, and some wire-sniffing is enough to reveal a legit user's password.

I'd try to solve the latest two things first before going into creating a specific form.

On the other hand, maybe we can rig something up with Yesod or similar to solve all three points at the same time. I'm busy now with my masters disertation but I can attempt something in a month if it seems ok and no one else does it before that date.

IIRC, there have been previous attempts, or at least a discussion. I can't remember what the result was, though.

Either way, it'll take more than just a Yesod web application built over a weekend; signed packages would require package authors to, well, sign, so cabal would need features for that; you'd also have to extend it to *check* those signatures, and give the user options to refuse or allow unsigned packages. SSL should be relatively simple though, mostly a matter of updating cabal's configuration and installing a suitable certificate on the hackage server.

There have been numerous discussions about this already. One of the tricky things is that cabal uses the HTTP package for http calls, and it doesn't support SSL. Adding it is non-trivial on windows, I believe. As for the user account creation and uploading packages you don't own, Hackage 2 (any day now) has fixes for both. Erik

Niklas Hambüchen

10:48 a.m.

...

As for the user account creation and uploading packages you don't own, Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

Brandon Allbery

10:56 a.m.

On Thu, Jun 13, 2013 at 10:48 AM, Niklas Hambüchen wrote:

...

...
As for the user account creation and uploading packages you don't own, Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

Doesn't look like it. :( -- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net

Erik Hesselink

11:03 a.m.

On Thu, Jun 13, 2013 at 4:48 PM, Niklas Hambüchen wrote:

...

...
As for the user account creation and uploading packages you don't own, Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

I think it should be possible to set that up by proxying through e.g. Apache. You have to be careful to open up all urls 'cabal' accesses over http as well, but otherwise, I don't see a problem with that setup. I'm not quite sure what it would achieve, though. Erik

Niklas Hambüchen

11:11 a.m.

...

I'm not quite sure what it would achieve, though.

That if I want to upload something without my password going over in plain text, I can at least use the file upload form.

Jeremy Shaw

11:13 a.m.

No idea, But if not, it should be trivial to add support. The two main issues would be getting an SSL certificate (if one does not already exist) and then making sure that the links do not hardcode the schema. So // hackage.haskell.org/foo instead of http://hackage.haskell.org/. Then the site can be served using simpleHTTPS instead of simpleHTTP. - jeremy On Thu, Jun 13, 2013 at 9:48 AM, Niklas Hambüchen wrote:

...

...
As for the user account creation and uploading packages you don't own, Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Alp Mestanogullari

8:46 p.m.

Most of the issues raised here indeed are addressed in Hackage2 already, or are planned to be. Too few people working on it though. See the "Hackage mess" section in [1] for more info on Hackage2 and [2] to see the running instance. [1] http://alpmestan.com/2012/11/02/cabal-hackage-what-you-can-do-about-it/ [2] http://new-hackage.haskell.org On Thu, Jun 13, 2013 at 5:13 PM, Jeremy Shaw wrote:

...

No idea, But if not, it should be trivial to add support. The two main issues would be getting an SSL certificate (if one does not already exist) and then making sure that the links do not hardcode the schema. So // hackage.haskell.org/foo instead of http://hackage.haskell.org/.

Then the site can be served using simpleHTTPS instead of simpleHTTP.

- jeremy

On Thu, Jun 13, 2013 at 9:48 AM, Niklas Hambüchen wrote:

...
...
As for the user account creation and uploading packages you don't own, Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

-- Alp Mestanogullari

4359

Age (days ago)

4360

Last active (days ago)

List overview

Download

10 comments

8 participants

participants (8)

Alp Mestanogullari
Andrew Pennebaker
Brandon Allbery
Erik Hesselink
Jeremy Shaw
Mihai Maruseac
Niklas Hambüchen
Tobias Dammers

Automating Hackage accounts

tags

participants (8)