Missing package.json files for some packages? #183

Open
snoyberg opened this Issue Jan 25, 2017 · 3 comments

Projects

None yet

2 participants

@snoyberg
Contributor

When I turn on "require package hashes" in Stack on the Hackage Security branch, I get the following error message:

Package index Hackage is configured to require package hashes, but no hash is available for amazonka-codedeploy-1.4.0

Sure enough, if I look in the 01-index.tar file, there is no package.json file for that release of amazonka-codedeploy:

screen shot 2017-01-25 at 4 04 32 pm

Is there some reason for this file to be missing? From a security standpoint, it would be nice to be able to depend on the existence of a hash for every package.

Also, I'm not sure if this is the appropriate repo for this question. I can move it to the Hackage Server tracker if that's better.

@snoyberg snoyberg added a commit to commercialhaskell/stack that referenced this issue Jan 25, 2017
@snoyberg snoyberg Support Hackage Security hashes
Cannot yet turn on "require hashes" by default due to missing hashes,
see: haskell/hackage-security#183
9664402
@hvr
Member
hvr commented Jan 25, 2017

We have known about this for quite some time already (c.f. haskell/hackage-server#488) but this glitch is very hard to reproduce and hasn't re-occured ever since then. This is also the reason why the hackage-mirror-tool needs this temporary hack. At some point we're gonna supply those missing package.json files in the index tarball, we just didn't get to it yet.

@snoyberg
Contributor

Is there no method available to:

  1. Manually add the missing package.json files, and
  2. Add a sanity check (like each .cabal file has a package.json file) before the 01-index.tar.gz file is generated?

This does seem to significantly impede the ability of tools to provide security guarantees.

@snoyberg snoyberg added a commit to commercialhaskell/stack that referenced this issue Jan 27, 2017
@snoyberg snoyberg Support Hackage Security hashes
Cannot yet turn on "require hashes" by default due to missing hashes,
see: haskell/hackage-security#183
49b5381
@hvr
Member
hvr commented Jan 28, 2017

This does seem to significantly impede the ability of tools to provide security guarantees.

That's not really true though because as a kind of happy accident this unintentional situation currently exercises cabal's code-paths for when the package hashes are missing; and in fact cabal refuses to download those couple of packages whose cryptographic checksums are missing. This just forces us to be able to cope with this exceptional case which we would have to anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment