Re: Automating Hackage accounts
Erik Hesselink <hesselink <at> gmail.com>
2013-06-13 14:38:38 GMT
On Thu, Jun 13, 2013 at 4:22 PM, Tobias Dammers <tdammers <at> gmail.com> wrote:
> On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:
>> On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <tdammers <at> gmail.com> wrote:
>> > On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
>> >> Could we add an HTML form for creating new Hackage accounts? Right now, our
>> >> community is small enough that emailing ross <at> soi.city.ac.uk and waiting for
>> >> a manual response isn't too bad of a problem, but as we grow, it would be
>> >> nice for these sorts of things to be handled by a server, like with
>> >> RubyGems and NPM.
>> > IMHO, a more pressing issue is SSL uploads and package signing. As it
>> > stands, anyone with a Hackage account can upload a new version of any
>> > given package, and some wire-sniffing is enough to reveal a legit user's
>> > password.
>> I'd try to solve the latest two things first before going into
>> creating a specific form.
>> On the other hand, maybe we can rig something up with Yesod or similar
>> to solve all three points at the same time. I'm busy now with my
>> masters disertation but I can attempt something in a month if it seems
>> ok and no one else does it before that date.
> IIRC, there have been previous attempts, or at least a discussion. I
> can't remember what the result was, though.
> Either way, it'll take more than just a Yesod web application built over
> a weekend; signed packages would require package authors to, well, sign,
> so cabal would need features for that; you'd also have to extend it to
> *check* those signatures, and give the user options to refuse or allow
> unsigned packages. SSL should be relatively simple though, mostly a
> matter of updating cabal's configuration and installing a suitable
> certificate on the hackage server.
There have been numerous discussions about this already. One of the
tricky things is that cabal uses the HTTP package for http calls, and
it doesn't support SSL. Adding it is non-trivial on windows, I
As for the user account creation and uploading packages you don't own,
Hackage 2 (any day now) has fixes for both.