Re: [Haskell-cafe] Do I need an account to report build of Hacakgepackages?
You only need an account for uploading packages. If you do not want to have to enter your user name or password interactively when you run cabal upload then you can put them in the config file: username: password: That sounds like a very bad idea, and should not be encouraged! Any compromised uploader machine with stored passwords can be used to upload compromising code, which will propagate to all downloaders. One bad-apple package installed unwittingly on one uploader machine with stored passwords could compromise all of Haskell land. Claus ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Do I need an account to report build of Hacakgepackages?
On Sat, 2008-11-22 at 15:11 +, Claus Reinke wrote: You only need an account for uploading packages. If you do not want to have to enter your user name or password interactively when you run cabal upload then you can put them in the config file: username: password: That sounds like a very bad idea, and should not be encouraged! Any compromised uploader machine with stored passwords can be used to upload compromising code, which will propagate to all downloaders. One bad-apple package installed unwittingly on one uploader machine with stored passwords could compromise all of Haskell land. We've got bigger security issues than this. I'd welcome someone to spend some time implementing some of the obvious and sensible ideas we've discussed to improve the situation. Duncan ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Do I need an account to report build of Hacakgepackages?
On Sat, Nov 22, 2008 at 03:11:34PM -, Claus Reinke wrote: You only need an account for uploading packages. If you do not want to have to enter your user name or password interactively when you run cabal upload then you can put them in the config file: username: password: That sounds like a very bad idea, and should not be encouraged! Agreed. However... Any compromised uploader machine with stored passwords can be used to upload compromising code, which will propagate to all downloaders. It doesn't really matter whether a compromised machine stores a password or not. If you upload anything using a compromised machine, the attacker has the opportunity to learn your password. Also, Hackage doesn't use SSL/TLS, so compromising a machine isn't necessary for learning Hackage passwords. -- Antti-Juhani Kaijanaho, Jyväskylä, Finland http://antti-juhani.kaijanaho.fi/newblog/ http://www.flickr.com/photos/antti-juhani/ ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
