Ticket #239 (closed defect: fixed)
security hole: anyone can replace a package
|Reported by:||guest||Owned by:|
It is possible for any registered user to upload a new version of a package without reference to the actual maintainer of the package. The new upload can even have the same name and version number as an existing package. Not only does this allow a malicious or misguided person to arbitrarily change or remove good code: there is also no notification on the webpage of the package about who uploaded it - only the author/maintainer fields of the cabal file. Needless to say, the latter may not be very happy that their name is associated with a corrupt package that they did not upload or authorise.
Recently, a significant number of packages have been uploaded without their maintainers' knowledge, so this could be a real problem. A quick fix would be to list the uploader's name against every package, so that the paranoid user can make an informed decision about its status. Ultimately the decision about whether to trust a package is a social and community issue, but the lack of transparency in discovering relevant information is a technical problem that does have a solution.