ZuriHac2015/Projects/hackage-security

Topic

hackage-security is an effort to bring security to the cabal environment. It is based on The Update Framework (TUF) that has been inspired by tor's built-in software upgrade system. TUF is an implementation-independent spec backed by a number of scientific publications and a reference implementation in python. hackage-security is an effort to implement TUF for hackage/cabal, and has lead to a few improvements and clarifications in the standard on the way.

Tasks

• Link hackage-server against hackage-security and deliver cryptographically hardened package index and hashes. A toy cabal-install that comes with hackage-security can be used to test this, so there is no need to touch cabal-install.
• Link cabal-install against hackage-security and secure package download and installation. (A tool for running secure local hackage repositories comes with hackage-security, so there is no eneed to touch hackage-server.)
• Add support for cryptographic credentials to cabal config parser.
• hackage-server comes with a mirroring tool (MirrorClient.hs) for keeping to hackage servers in sync. Re-write the download and/or upload part so it provides TUF security guarantees for the mirror and its users.

Links

An introduction to hackage-security (slightly outdated, but links to further reading):

• http://well-typed.com/blog/2015/04/improving-hackage-security/

The code:

• https://github.com/well-typed/hackage-security/
• https://github.com/haskell/hackage-server/
• https://github.com/haskell/cabal/