Automating Hackage accounts

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Automating Hackage accounts

Andrew Pennebaker
Could we add an HTML form for creating new Hackage accounts? Right now, our community is small enough that emailing [hidden email] and waiting for a manual response isn't too bad of a problem, but as we grow, it would be nice for these sorts of things to be handled by a server, like with RubyGems and NPM.

--
Cheers,

Andrew Pennebaker

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Tobias Dammers
On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
> Could we add an HTML form for creating new Hackage accounts? Right now, our
> community is small enough that emailing [hidden email] and waiting for
> a manual response isn't too bad of a problem, but as we grow, it would be
> nice for these sorts of things to be handled by a server, like with
> RubyGems and NPM.

IMHO, a more pressing issue is SSL uploads and package signing. As it
stands, anyone with a Hackage account can upload a new version of any
given package, and some wire-sniffing is enough to reveal a legit user's
password.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Mihai Maruseac
On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <[hidden email]> wrote:

> On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
>> Could we add an HTML form for creating new Hackage accounts? Right now, our
>> community is small enough that emailing [hidden email] and waiting for
>> a manual response isn't too bad of a problem, but as we grow, it would be
>> nice for these sorts of things to be handled by a server, like with
>> RubyGems and NPM.
>
> IMHO, a more pressing issue is SSL uploads and package signing. As it
> stands, anyone with a Hackage account can upload a new version of any
> given package, and some wire-sniffing is enough to reveal a legit user's
> password.

I'd try to solve the latest two things first before going into
creating a specific form.

On the other hand, maybe we can rig something up with Yesod or similar
to solve all three points at the same time. I'm busy now with my
masters disertation but I can attempt something in a month if it seems
ok and no one else does it before that date.

--
MM
"All we have to decide is what we do with the time that is given to us"

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Tobias Dammers
On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:

> On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <[hidden email]> wrote:
> > On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
> >> Could we add an HTML form for creating new Hackage accounts? Right now, our
> >> community is small enough that emailing [hidden email] and waiting for
> >> a manual response isn't too bad of a problem, but as we grow, it would be
> >> nice for these sorts of things to be handled by a server, like with
> >> RubyGems and NPM.
> >
> > IMHO, a more pressing issue is SSL uploads and package signing. As it
> > stands, anyone with a Hackage account can upload a new version of any
> > given package, and some wire-sniffing is enough to reveal a legit user's
> > password.
>
> I'd try to solve the latest two things first before going into
> creating a specific form.
>
> On the other hand, maybe we can rig something up with Yesod or similar
> to solve all three points at the same time. I'm busy now with my
> masters disertation but I can attempt something in a month if it seems
> ok and no one else does it before that date.

IIRC, there have been previous attempts, or at least a discussion. I
can't remember what the result was, though.

Either way, it'll take more than just a Yesod web application built over
a weekend; signed packages would require package authors to, well, sign,
so cabal would need features for that; you'd also have to extend it to
*check* those signatures, and give the user options to refuse or allow
unsigned packages. SSL should be relatively simple though, mostly a
matter of updating cabal's configuration and installing a suitable
certificate on the hackage server.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Erik Hesselink
On Thu, Jun 13, 2013 at 4:22 PM, Tobias Dammers <[hidden email]> wrote:

> On Thu, Jun 13, 2013 at 05:07:38PM +0300, Mihai Maruseac wrote:
>> On Thu, Jun 13, 2013 at 5:02 PM, Tobias Dammers <[hidden email]> wrote:
>> > On Thu, Jun 13, 2013 at 09:44:03AM -0400, Andrew Pennebaker wrote:
>> >> Could we add an HTML form for creating new Hackage accounts? Right now, our
>> >> community is small enough that emailing [hidden email] and waiting for
>> >> a manual response isn't too bad of a problem, but as we grow, it would be
>> >> nice for these sorts of things to be handled by a server, like with
>> >> RubyGems and NPM.
>> >
>> > IMHO, a more pressing issue is SSL uploads and package signing. As it
>> > stands, anyone with a Hackage account can upload a new version of any
>> > given package, and some wire-sniffing is enough to reveal a legit user's
>> > password.
>>
>> I'd try to solve the latest two things first before going into
>> creating a specific form.
>>
>> On the other hand, maybe we can rig something up with Yesod or similar
>> to solve all three points at the same time. I'm busy now with my
>> masters disertation but I can attempt something in a month if it seems
>> ok and no one else does it before that date.
>
> IIRC, there have been previous attempts, or at least a discussion. I
> can't remember what the result was, though.
>
> Either way, it'll take more than just a Yesod web application built over
> a weekend; signed packages would require package authors to, well, sign,
> so cabal would need features for that; you'd also have to extend it to
> *check* those signatures, and give the user options to refuse or allow
> unsigned packages. SSL should be relatively simple though, mostly a
> matter of updating cabal's configuration and installing a suitable
> certificate on the hackage server.

There have been numerous discussions about this already. One of the
tricky things is that cabal uses the HTTP package for http calls, and
it doesn't support SSL. Adding it is non-trivial on windows, I
believe.

As for the user account creation and uploading packages you don't own,
Hackage 2 (any day now) has fixes for both.

Erik

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Niklas Hambüchen
> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Brandon Allbery
On Thu, Jun 13, 2013 at 10:48 AM, Niklas Hambüchen <[hidden email]> wrote:
> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

Doesn't look like it. :( 

--
brandon s allbery kf8nh                               sine nomine associates
[hidden email]                                  [hidden email]
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Erik Hesselink
In reply to this post by Niklas Hambüchen
On Thu, Jun 13, 2013 at 4:48 PM, Niklas Hambüchen <[hidden email]> wrote:
>> As for the user account creation and uploading packages you don't own,
>> Hackage 2 (any day now) has fixes for both.
>
> Does Hackage 2 have SSL at least for the web interface?

I think it should be possible to set that up by proxying through e.g.
Apache. You have to be careful to open up all urls 'cabal' accesses
over http as well, but otherwise, I don't see a problem with that
setup. I'm not quite sure what it would achieve, though.

Erik

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Niklas Hambüchen
> I'm not quite sure what it would achieve, though.

That if I want to upload something without my password going over in
plain text, I can at least use the file upload form.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Jeremy Shaw-3
In reply to this post by Niklas Hambüchen
No idea, But if not, it should be trivial to add support. The two main issues would be getting an SSL certificate (if one does not already exist) and then making sure that the links do not hardcode the schema. So //hackage.haskell.org/foo instead of http://hackage.haskell.org/.

Then the site can be served using simpleHTTPS instead of simpleHTTP.

- jeremy


On Thu, Jun 13, 2013 at 9:48 AM, Niklas Hambüchen <[hidden email]> wrote:
> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: Automating Hackage accounts

Alp Mestanogullari
Most of the issues raised here indeed are addressed in Hackage2 already, or are planned to be. Too few people working on it though. See the "Hackage mess" section in [1] for more info on Hackage2 and [2] to see the running instance.




On Thu, Jun 13, 2013 at 5:13 PM, Jeremy Shaw <[hidden email]> wrote:
No idea, But if not, it should be trivial to add support. The two main issues would be getting an SSL certificate (if one does not already exist) and then making sure that the links do not hardcode the schema. So //hackage.haskell.org/foo instead of http://hackage.haskell.org/.

Then the site can be served using simpleHTTPS instead of simpleHTTP.

- jeremy


On Thu, Jun 13, 2013 at 9:48 AM, Niklas Hambüchen <[hidden email]> wrote:
> As for the user account creation and uploading packages you don't own,
> Hackage 2 (any day now) has fixes for both.

Does Hackage 2 have SSL at least for the web interface?

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe




--
Alp Mestanogullari

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe