On Sun, 2015-01-18 at 15:05 -0800, Vincent Hanquez wrote:
On 18/01/2015 09:56, kyra wrote:
Hi, guys,
It looks old (and even ancient) versions of many packages gets uploaded to hackage over and over again in ever increasing amounts. The username of uploader for vast majority of these uploads is HerbertValerioRiedel.
While this is harmless I wonder what idea stands behind this?
This is not harmless. This is a security issue by itself, as now packages get changes transparently given a url, you might have a different package one day, which trigger hash check failure. or signed tag verification failure.
Note that hackage never changes the content of package tarballs. The checksums on those are stable. Guaranteed.
This has also the effect of not changing the bounds in the repository, so for example, next time you upload a tweak'ed packages, you effectively revert the change done on hackage only.
Communicating changes upstream is certainly something we need to work on to be able to use this as widely as it'd be helpful. Up until recently we've only used the metadata editing feature with core packages (or the maintainers themselves have done it). Recently Herbert has been going a bit wider and if we are now running into issues of communication with maintainers then I think this says that now is the time to address that properly. So that includes: * this discussion * wider communication with maintainers of just what is and is not possible (since we're actually deliberately rather conservative) * a proper notification and opt-in/opt-out system for maintainers to avail themselves of the helpful service that the trustees can provide. Duncan