On Thu, Dec 9, 2010 at 7:04 AM, Ketil Malde <ke...@malde.org> wrote: > Vincent Hanquez <t...@snarc.org> writes: > >> You might have misunderstood what I was talking about. I'm proposing >> signing on the hackage server on reception of the package, > > Okay, fair enough. You can't *enforce* this, of course, since I might > work without general internet access but a local mirror, but you could > require me to run 'cabal --dont-check-signatures' or similar, so this > would still make a hostile-operated mirror less useful. > > OTOH, if I should suggest improving the security of Hackage, I would > prioritize: > > a) email the maintainer whenever a new upload is accepted - preferably > with a notice about whether the build works or fails. Mabye also > highlight the case when maintainer differs from uploader - if that > doesn't give a ton of false positives. > > b) email the *previous* maintainer when a new upload is accepted and the > maintainer field has changed. > > This way, somebody is likely to actually *notice* when some evil person > uploads a trojan mtl or bytestring or whatever. The downside is more > mail, and the people who run Hackage have been wary about this. So > perhaps even this is on the wrong side of the cost/benefit fence. > > (People with admin privileges (staff or hackers) to hackage can of course > still work around everything - crypto signatures or email-schemes.) > > -k
Also, perhaps put the signatures on a separate machine from the one containing .tar.gz. For a 3rd party to corrupt a package, they'd need to hack 2 machines. _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe