psc-package icon indicating copy to clipboard operation
psc-package copied to clipboard

Published 20 hours ago verified publisher icon purescript

packages.json: support (require?) SHA in addition to version

Open matthewleon opened this issue 7 years ago • 4 comments

Requiring a hash in addition to the version tag would be a cheap additional layer of security. As it stands, a package author could maliciously amend a tag in their git repo, no?

matthewleon avatar Aug 09 '17 19:08 matthewleon

Sounds like a good idea.

paf31 avatar Aug 09 '17 19:08 paf31

Adding this here as a related consideration: https://theupdateframework.github.io/

Since hackage implements this, it might not be too hard to steal code from them at some future point. https://github.com/haskell/hackage-security

This might not be applicable given that psc-package works in a fundamentally different way from Hackage, but at least there might be some ideas to take inspiration from.

matthewleon avatar Aug 10 '17 10:08 matthewleon

See also https://github.com/purescript/package-sets/issues/32

Pauan avatar Aug 10 '17 13:08 Pauan

@Pauan thanks. Good to see I'm not the only one with this concern. I will do some reading and have a think.

matthewleon avatar Aug 10 '17 14:08 matthewleon