stackage-upload

A more secure version of cabal upload which uses HTTPS. When uploading a package to Hackage, cabal-install will perform the upload in plain-text, unencrypted HTTP, which is vulnerable to man in the middle (MITM) attacks. This package instead uses secure HTTPS upload to avoid both MITM attacks, and possibly eavesdropping attacks (though the latter are yet unproven). In the future, additionally functionality may be added.

To install, simply run cabal update && cabal install stackage-upload. Usage is quite similar cabal upload: just call stackage-upload and pass in a list of tarballs to upload. (If you have stackage-cli installed, you can call stk upload instead.) stackage-upload --help will provide full options.

Why not fix cabal?

A legitimate question is why not add HTTPS support to cabal-install? The answer is that I tried. At least as of April 2015, there was no proposal I was able to make that allowed TLS support to be added to cabal-install, due to policies regarding dependencies in the Cabal project. I would be much happier to add this support there (and, at the same time, add secure download support, which is also severely lacking). I made an open offer in April 2015, and the offer stands: if the Cabal project gives me the green light to add http-client as a dependency to cabal-install, I'll send the pull request myself.

To give some more background: Cabal currently requires that all dependencies be part of the Haskell Platform. I disagree with this decision, since distributing a binary does not require that the libraries be available as well. The last time TLS support in the Platform was raised, the best option for this support (Vincent's wonderful tls package was vetoed because it didn't follow the Package Versioning Policy's strict upper bounds approach. (Ironically, the alternative package mentioned there, http-streams, also doesn't have upper bounds on all dependencies.)

Why Stackage?

See the same question and its answer on stackage-update.

Future enhancements

• Store passwords securely via GPG encryption
• Upload documentation to Hackage (work around the sometimes-broken doc builder)
• Perform pre-upload checks, such as running the test suite from the tarball to check for missing files

History

This tool was something that I (Michael Snoyman) wrote for myself a while back, and decided to rebrand as stackage-upload when the severity of the insecure upload situation became apparent to me, and it became obvious that there was no path forward for getting cabal-install fixed.

I actually consider this situation to be so dangerous, I would like to ask the Hackage Server team to consider turning off insecure uploads to Hackage. The current possibility for corrupted uploads to infect all users of a package is alarmingly high.