#239: security hole: anyone can replace a package
--------------------------------+-------------------------------------------
Reporter: guest | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: HackageDB website | Version:
Severity: normal | Resolution:
Keywords: | Difficulty: normal
Ghcversion: 6.8.2 | Platform:
--------------------------------+-------------------------------------------
Comment (by duncan):
It's not a trivial balance about who should be allowed to upload a
package. By uploading to a public repo package authors are surrendering a
little bit of control. If people start relying on a package then we want
that package to continue even if the original uploader goes AWOL.
So it is not clear that we would always want to restrict uploads to be the
declared maintainer (or whoever uploaded it first). One could imagine a
system where there is a list of allowed uploaders for a package and
existing people could add others to that set. But whatever we do like that
it has to be overridable for the cases when a package maintainer
disappears.
--
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/239#comment:4>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects
_______________________________________________
cabal-devel mailing list
[email protected]
http://www.haskell.org/mailman/listinfo/cabal-devel
