Andrew Pennebaker | 13 Jun 15:44 2013
Picon

Automating Hackage accounts

Could we add an HTML form for creating new Hackage accounts? Right now, our community is small enough that emailing ross <at> soi.city.ac.uk and waiting for a manual response isn't too bad of a problem, but as we grow, it would be nice for these sorts of things to be handled by a server, like with RubyGems and NPM.

--
Cheers,

Andrew Pennebaker
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Tobias Dammers | 13 Jun 16:02 2013
Picon

Re: Automating Hackage accounts

On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
> Could we add an HTML form for creating new Hackage accounts? Right now, our
> community is small enough that emailing ross <at> soi.city.ac.uk and waiting for
> a manual response isn't too bad of a problem, but as we grow, it would be
> nice for these sorts of things to be handled by a server, like with
> RubyGems and NPM.

IMHO, a more pressing issue is SSL uploads and package signing. As it
stands, anyone with a Hackage account can upload a new version of any
given package, and some wire-sniffing is enough to reveal a legit user's
password.
Mihai Maruseac | 13 Jun 16:07 2013
Picon

Re: Automating Hackage accounts

On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <tdammers <at> gmail.com> wrote:
> On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
>> Could we add an HTML form for creating new Hackage accounts? Right now, our
>> community is small enough that emailing ross <at> soi.city.ac.uk and waiting for
>> a manual response isn't too bad of a problem, but as we grow, it would be
>> nice for these sorts of things to be handled by a server, like with
>> RubyGems and NPM.
>
> IMHO, a more pressing issue is SSL uploads and package signing. As it
> stands, anyone with a Hackage account can upload a new version of any
> given package, and some wire-sniffing is enough to reveal a legit user's
> password.

I'd try to solve the latest two things first before going into
creating a specific form.

On the other hand, maybe we can rig something up with Yesod or similar
to solve all three points at the same time. I'm busy now with my
masters disertation but I can attempt something in a month if it seems
ok and no one else does it before that date.

--
MM
"All we have to decide is what we do with the time that is given to us"
Tobias Dammers | 13 Jun 16:22 2013
Picon

Re: Automating Hackage accounts

On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:
> On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <tdammers <at> gmail.com> wrote:
> > On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
> >> Could we add an HTML form for creating new Hackage accounts? Right now, our
> >> community is small enough that emailing ross <at> soi.city.ac.uk and waiting for
> >> a manual response isn't too bad of a problem, but as we grow, it would be
> >> nice for these sorts of things to be handled by a server, like with
> >> RubyGems and NPM.
> >
> > IMHO, a more pressing issue is SSL uploads and package signing. As it
> > stands, anyone with a Hackage account can upload a new version of any
> > given package, and some wire-sniffing is enough to reveal a legit user's
> > password.
> 
> I'd try to solve the latest two things first before going into
> creating a specific form.
> 
> On the other hand, maybe we can rig something up with Yesod or similar
> to solve all three points at the same time. I'm busy now with my
> masters disertation but I can attempt something in a month if it seems
> ok and no one else does it before that date.

IIRC, there have been previous attempts, or at least a discussion. I
can't remember what the result was, though.

Either way, it'll take more than just a Yesod web application built over
a weekend; signed packages would require package authors to, well, sign,
so cabal would need features for that; you'd also have to extend it to
*check* those signatures, and give the user options to refuse or allow
unsigned packages. SSL should be relatively simple though, mostly a
matter of updating cabal's configuration and installing a suitable
certificate on the hackage server.
Erik Hesselink | 13 Jun 16:38 2013
Picon

Re: Automating Hackage accounts

On Thu, Jun 13, 2013 at 4:22 PM, Tobias Dammers <tdammers <at> gmail.com> wrote:
> On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:
>> On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <tdammers <at> gmail.com> wrote:
>> > On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
>> >> Could we add an HTML form for creating new Hackage accounts? Right now, our
>> >> community is small enough that emailing ross <at> soi.city.ac.uk and waiting for
>> >> a manual response isn't too bad of a problem, but as we grow, it would be
>> >> nice for these sorts of things to be handled by a server, like with
>> >> RubyGems and NPM.
>> >
>> > IMHO, a more pressing issue is SSL uploads and package signing. As it
>> > stands, anyone with a Hackage account can upload a new version of any
>> > given package, and some wire-sniffing is enough to reveal a legit user's
>> > password.
>>
>> I'd try to solve the latest two things first before going into
>> creating a specific form.
>>
>> On the other hand, maybe we can rig something up with Yesod or similar
>> to solve all three points at the same time. I'm busy now with my
>> masters disertation but I can attempt something in a month if it seems
>> ok and no one else does it before that date.
>
> IIRC, there have been previous attempts, or at least a discussion. I
> can't remember what the result was, though.
>
> Either way, it'll take more than just a Yesod web application built over
> a weekend; signed packages would require package authors to, well, sign,
> so cabal would need features for that; you'd also have to extend it to
> *check* those signatures, and give the user options to refuse or allow
> unsigned packages. SSL should be relatively simple though, mostly a
> matter of updating cabal's configuration and installing a suitable
> certificate on the hackage server.

There have been numerous discussions about this already. One of the
tricky things is that cabal uses the HTTP package for http calls, and
it doesn't support SSL. Adding it is non-trivial on windows, I
believe.

As for the user account creation and uploading packages you don't own,
Hackage 2 (any day now) has fixes for both.

Erik
Niklas Hambüchen | 13 Jun 16:48 2013

Re: Automating Hackage accounts

> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?
Brandon Allbery | 13 Jun 16:56 2013
Picon

Re: Automating Hackage accounts

On Thu, Jun 13, 2013 at 10:48 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

Doesn't look like it. :( 

--
brandon s allbery kf8nh                               sine nomine associates
allbery.b <at> gmail.com                                  ballbery <at> sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Erik Hesselink | 13 Jun 17:03 2013
Picon

Re: Automating Hackage accounts

On Thu, Jun 13, 2013 at 4:48 PM, Niklas Hambüchen <mail <at> nh2.me> wrote:
>> As for the user account creation and uploading packages you don't own,
>> Hackage 2 (any day now) has fixes for both.
>
> Does Hackage 2 have SSL at least for the web interface?

I think it should be possible to set that up by proxying through e.g.
Apache. You have to be careful to open up all urls 'cabal' accesses
over http as well, but otherwise, I don't see a problem with that
setup. I'm not quite sure what it would achieve, though.

Erik
Jeremy Shaw | 13 Jun 17:13 2013

Re: Automating Hackage accounts

No idea, But if not, it should be trivial to add support. The two main issues would be getting an SSL certificate (if one does not already exist) and then making sure that the links do not hardcode the schema. So //hackage.haskell.org/foo instead of http://hackage.haskell.org/.

Then the site can be served using simpleHTTPS instead of simpleHTTP.

- jeremy


On Thu, Jun 13, 2013 at 9:48 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Alp Mestanogullari | 14 Jun 02:46 2013
Picon

Re: Automating Hackage accounts

Most of the issues raised here indeed are addressed in Hackage2 already, or are planned to be. Too few people working on it though. See the "Hackage mess" section in [1] for more info on Hackage2 and [2] to see the running instance.




On Thu, Jun 13, 2013 at 5:13 PM, Jeremy Shaw <jeremy <at> n-heptane.com> wrote:
No idea, But if not, it should be trivial to add support. The two main issues would be getting an SSL certificate (if one does not already exist) and then making sure that the links do not hardcode the schema. So //hackage.haskell.org/foo instead of http://hackage.haskell.org/.

Then the site can be served using simpleHTTPS instead of simpleHTTP.

- jeremy


On Thu, Jun 13, 2013 at 9:48 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe




--
Alp Mestanogullari
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

Gmane