On 01/31/2013 08:16 AM, Ketil Malde wrote:
*MY* proposal is that:
0. Hackage sends an email to the previous uploader whenever a new
version of a package is uploaded by somebody else.
At least that way, I would be notified if it happened to my packages,
and I would be able to check up on the situation, and rectify it.
you wouldn't in real cases, it just fix the most obvious and simple
attack vector. but consider:
* someone intercepting your upload http stream, and replacing
dynamically your package.
* someone gaining malicious access to hackage and planting stuff inside
packages.
* a rogue hackage admin.
* a rogue hackage mirror admin.
it's obviously less easy than just creating an account and uploading
things on top of other packages, but i don't think we should feel safe
if the previous maintainer received an email about the change. For
example, previous maintainer might be away from email for a long time
potentially leaving a trojan version for days/weeks, or changed email
address..
--
Vincent
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe