Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Package uploading is completely unsecured #2
Right now, anyone can register an account (without passing any kind of CAPTCHA or anything, so bots will overrun the place quickly on a live site) and upload new packages to their heart's content. This is a major risk for several reasons (package installation can do evil stuff with custom build types, easy to use up tons of disk space, etc.)
Of course, nothing can truly solve the security issue, but I suggest the following:
This should be a simple change to the code. The workflow for a package uploader would be:
This is basically the same as the Hackage1 registration process, but a bit easier for the maintainer.
An ideal solution would be something like:
That would be nicer, but probably require a lot more coding than the simpler solution.
This is being tracked on the Cabal trac at http://hackage.haskell.org/trac/hackage/ticket/911