On 10/28/2012 03:20 AM, Niklas Hambüchen wrote:
- abuse your hackage account and override arbitrary packages
(especially since hackage allows everybody to override everything)
Does hackage at least store the logs of packages uploads? What's the
reason or such a security model? I guess it was appropriate in the past
when hackage was an experimental service, but now it's a standard way of
distributing Haskell code. If anyone can update any package, we are
waiting for the disaster. I have some haskell code I wrote myself
running as root and these thoughts make me shiver.
Https is a must-have in current situation, but it's only part of a solution.
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
