On Sat, 2008-11-22 at 15:11 +0000, Claus Reinke wrote: > > You only need an account for uploading packages. If you do not want to > > have to enter your user name or password interactively when you run > > "cabal upload" then you can put them in the config file: > > > > username: > > password: > > That sounds like a very bad idea, and should not be encouraged! > Any compromised uploader machine with stored passwords can > be used to upload compromising code, which will propagate to > all downloaders. One bad-apple package installed unwittingly on > one uploader machine with stored passwords could compromise > all of Haskell land.
We've got bigger security issues than this. I'd welcome someone to spend some time implementing some of the obvious and sensible ideas we've discussed to improve the situation. Duncan _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
