Re: ANN: Hackage Account Registration Changes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Hackage Account Registration Changes

Matthias Kilian
Hi,

On Thu, Feb 22, 2018 at 05:54:33PM -0500, Gershom B wrote:

> In the meantime, as a short term measure, we have changed new account
> registration policies on hackage.
>
> Users can still register as before, but new users do _not_ have upload
> rights until they explicitly request them and are granted them by a
> human being.
>
> (This is actually how we had configured hackage to work on initial
> deployment -- we loosened things up for some years as the extra step
> seemed unnecessary).

Does this mean that before the todays change, anyone (or anything)
could register and upload packages without any review and without
any acknowledgement for trustfulness by another person? Does it
maen that one can't trust *any* package on hackage.haskell.org at
least a little bit (based on trust between acknowledging persons
and reputation) without reviewing the package's source code?

Ciao,
        Kili
_______________________________________________
Haskell mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Hackage Account Registration Changes

Geoffrey Huntley
I feel that this is the wrong direction to take and will add more burden on people that we shouldn't be adding additional burden to. It's also the wrong "optics".

I just had a quick squizz at Hackage with a simple PR you'll be able to remove the incentives for this behaviour.

Add "nofollow" to any links supplied by the user or that are rendered as part of parsing user input.


The .NET ecosystem recently went through these same notions for the same reasons - here's the PR 


On Fri., 23 Feb. 2018, 10:38 am Matthias Kilian, <[hidden email]> wrote:
Hi,

On Thu, Feb 22, 2018 at 05:54:33PM -0500, Gershom B wrote:
> In the meantime, as a short term measure, we have changed new account
> registration policies on hackage.
>
> Users can still register as before, but new users do _not_ have upload
> rights until they explicitly request them and are granted them by a
> human being.
>
> (This is actually how we had configured hackage to work on initial
> deployment -- we loosened things up for some years as the extra step
> seemed unnecessary).

Does this mean that before the todays change, anyone (or anything)
could register and upload packages without any review and without
any acknowledgement for trustfulness by another person? Does it
maen that one can't trust *any* package on hackage.haskell.org at
least a little bit (based on trust between acknowledging persons
and reputation) without reviewing the package's source code?

Ciao,
        Kili
_______________________________________________
Haskell mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell

_______________________________________________
Haskell mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell