stackage-upload: A more secure version of cabal upload which uses HTTPS
Downloads
- stackage-upload-0.1.0.6.tar.gz [browse] (Cabal source package)
- Package description (as included in the package)
Maintainer's Corner
For package maintainers and hackage trustees
Candidates
- No Candidates
| Versions [RSS] | 0.1.0.0, 0.1.0.1, 0.1.0.2, 0.1.0.3, 0.1.0.4, 0.1.0.5, 0.1.0.6 |
|---|---|
| Change log | ChangeLog.md |
| Dependencies | aeson, base (>=4.5 && <5), bytestring (>=0.9), directory (>=1.1), filepath (>=1.2), http-client (>=0.4), http-client-tls (>=0.2), http-types, optparse-applicative, process (>=1), stackage-cli, stackage-upload, temporary (>=1.2), text (>=0.11) [details] |
| License | MIT |
| Author | Michael Snoyman |
| Maintainer | michael@snoyman.com |
| Category | Distribution |
| Home page | https://github.com/fpco/stackage-upload |
| Source repo | head: git clone git://github.com/fpco/stackage-upload.git |
| Uploaded | by lehins at 2016-09-06T10:34:12Z |
| Distributions | |
| Reverse Dependencies | 1 direct, 1 indirect [details] |
| Executables | stackage-upload |
| Downloads | 4812 total (18 in the last 30 days) |
| Rating | (no votes yet) [estimated by Bayesian average] |
| Your Rating | |
| Status | Docs available [build log] Last success reported on 2016-09-06 [all 1 reports] |
Readme for stackage-upload-0.1.0.6
[back to package description]stackage-upload
stackage-upload provides a more secure version of the cabal upload command
by using HTTPS. When uploading a package to Hackage, cabal upload will
perform the upload in plain-text via unencrypted HTTP, using basic
authentication,
which is vulnerable to both man in the middle (MITM) and eavesdropping attacks
(anyone sniffing your packets can get your username and password). This package
instead uses secure HTTPS to upload to avoid both of these attacks.
To install, simply run cabal update && cabal install stackage-upload. Usage
is quite similar to cabal upload: just call stackage-upload and pass in a list
of tarballs to upload. (If you have
stackage-cli installed, you can call
stk upload instead.) stackage-upload --help will provide full options.
Why not fix cabal?
I'd be happy to add TLS support to cabal-install directly (using Vincent's
tls package), but the two last times this topic came up, I have been unable
to find a proposal that is acceptable to the Cabal project (mostly around
Haskell Platform requirements). I made an open offer to send the pull request
myself to move cabal-install over to http-client to get TLS support (either via
http-client-tls or http-client-openssl).
Why Stackage?
See the same question and its answer on stackage-update.
Future enhancements
- Store passwords securely via GPG encryption
- Upload documentation to Hackage (work around the sometimes-broken doc builder)
- Perform pre-upload checks, such as running the test suite from the tarball to check for missing files
History
This tool was something that I (Michael Snoyman) wrote for myself a while back,
and decided to rebrand as stackage-upload when the severity of the insecure
upload situation became apparent to me, and it became obvious that there was no
path forward for getting cabal-install fixed.
I actually consider this situation to be so dangerous that I would like to ask the Hackage Server team to consider turning off insecure uploads to Hackage. The current possibility for corrupted uploads to infect all users of a package is alarmingly high.