Hi
We need some security on uploads to hackage, because Cabal packages can run arbitrary code during the build process
I think this should be strongly discouraged by Cabal, almost to the point where Setup files with custom code are disallowed by Hackage. Doing an attack on an in-use module is a lot more work than putting it in the configure script.
I think that Apache authentication (as used in Trac, for example) would be sufficient, but that the initial registration of submitters needs to be done manually by a small group of people. We need to know who we're dealing with, and we need at least an email address to contact them. Personally, I'd prefer that user names were real names in camel case, but maybe I'm too old-fashioned.
There is also a list of people with access to the darcs repo's on Haskell.org - these things probably want managing in much the same way. Currently the policy is that Yhc hackers get their key added to my authorised_keys file, and just log in using my username - I'm not terribly comfortable with that. I would demand at the very least a real name, email address - but really, in an online world those things are nearly useless. I guess the only thing to do is to trust that people who have learnt enough about monads and IO to hijack Haskell things probably realise how cool Haskell is... Thanks Neil