1

One problem with Cabal is that it pulls packages from Hackage, and as it's been discussed some time ago, there are many ways how a piece of malicious code can get in.

Does Stack improve the situation and does it take any precautions against that? Is it possible to make sure that all code downloaded externally for a given project is verified?

This includes extra dependencies - if there are any declared, is it possible to let stack verify them, for example to give an expected hash of the downloaded package?

Petr
  • 62,528
  • 13
  • 153
  • 317
  • I suggest asking on [the stack issue tracker](https://github.com/commercialhaskell/stack/issues). They have a label `type: question`, so I guess that questions are welcome. That being said, stack has some checksum verification stuff ready, see `Network.HTTP.Download.Verified`. Unfortunately, I have no idea how and where it's used throughout the whole stack execution. – Zeta Jan 09 '16 at 21:03
  • @Zeta Good idea, [done](https://github.com/commercialhaskell/stack/issues/1636). – Petr Jan 10 '16 at 08:23

1 Answers1

1

Yup, stack has had security for this for nearly half a year. Here's a relevant blogpost: https://www.fpcomplete.com/blog/2015/07/package-security-in-stack

mgsloan
  • 3,245
  • 21
  • 20