On Wed, Apr 15, 2015 at 8:50 AM Gershom B <[email protected]> wrote:
> On April 15, 2015 at 1:43:42 AM, Michael Snoyman ([email protected]) > wrote: > > > There's a lot of stuff going on inside of Hackage which we have > > no insight into or control over. The simplest is that we can't > > review a log of revisions. Improving that is a good thing, and > > I hope Hackage does so. Nonetheless, I'd still prefer a fully > > open, auditable system, which isn't possible with "just tack > > it on to Hackage.” > > Ok, I’m going to ignore everything else and just focus on this, because it > seems to be the only thing related to hackage, and therefore should be > thought of separately from everything else. > > What _else_ goes on that “we have no insight or control over”? Can we > document the full list. Can we specify what we mean by insight? I take that > to mean auditability. Can we specify what we mean by “control? (There I > have no idea). > > (With regards to revision logs, revisions are still a relatively new > feature and there’s lots of bits and bobs missing, and I agree this is low > hanging fruit to improve). > > > I'm not intimately familiar with the Hackage API, so I can't give a point-by-point description of what information is and is not auditable. However, *all* of that is predicated on trusting Hackage to properly authenticate users and be immune to attacks. For example, even if I can ask Hackage who uploaded a certain package/version, there's no way I can audit that that's actually the case, besides going and asking that person. And I can't even do *that* reliably, since the only identification for an uploader is the Hackage username, and I can't verify that someone actually owns that username without asking for his/her password also. One feature Hackage could add that would make the latter a bit better would be to verify identity claims from people (ala OpenID), though that still leaves us in the position of needing to fully trust Hackage. Michael
_______________________________________________ haskell-infrastructure mailing list [email protected] http://community.galois.com/mailman/listinfo/haskell-infrastructure
