Closed jamesdbrock closed 1 year ago
I just found the section of Hackage which forbids my entire approach
https://hackage.haskell.org/upload
so let's talk about that.
Here’s the point of the https://github.com/haskell-github-trust GitHub org:
Every member of the org can publish any package in the org without knowing the password for the Hackage haskell_github_trust account.
The only way I can see to set that up is if the haskell_github_trust acount is in the uploader group.
Then I can use GitHub Secrets and the Hackage Authentication Token to publish with a GitHub Action.
This approach would bypass the “Candidate” upload feature and publish directly. So of course, it would probably result in a lot of package versions for minor fixes. Which I understand is something the Hackage trustees want to avoid, because with the immutable package structure of Hackage this increases the size of the index. And furthermore tainted package versions are irrevocable.
I would propose an alternate approach. If a package has haskell_github_trust as a maintainer, then the hackage admins are willing to add anybody from the haskell_github_trust organization on github as a further maintainer, on their request, without an intervening hackage takeover process.
I would propose an alternate approach. If a package has haskell_github_trust as a maintainer, then the hackage admins are willing to add anybody from the haskell_github_trust organization on github as a further maintainer, on their request, without an intervening hackage takeover process.
My understanding is that if a package has haskell_github_trust as a maintainer, then the haskell_github_trust account can add maintainer uploader accounts (without Hackage Trustee intervention). That is the approach suggested by the Group Accounts paragraph.
But that has to be done manually, and cannot be done automatically with only the haskell_github_trust Authentication Token. So then we must either disseminate the haskell_github_trust password to everyone, or else have a special class of haskell_github_trust “admins” who must be pestered for upload permission. Which is what I want to avoid.
I can see why these policies make sense for Hackage because they enforce uploader accountability.
If the Hackage haskell_github_trust account cannot be an uploader account, then maybe the best solution is to make the haskell_github_trust account password visible to all https://hackage.haskell.org/user/haskell_github_trust org members.
Then any member can use the haskell_github_trust account to add their own uploader account to the maintainers list of a package.
A malicious haskell_github_trust member could “steal” a package by removing all of the other maintainers from the package. But in that rare event we could just appeal to the Hackage Trustees to restore the package by the usual process.
Okay so that what I'm going to do: make haskell_github_trust a “Group Account” without uploader privilege.
Dear Hackage Trustees, please add user
https://hackage.haskell.org/user/haskell_github_trust
to the uploader group.
Here are the packages which I intend to upload to start out with. There will be more in the future. https://github.com/orgs/haskell-github-trust/repositories
This is an organization account which I will share with other people. The README for this organization explains what this is about. https://github.com/haskell-github-trust
I sent this request as an email from haskellgithubtrust@gmail.com but it was rejected by SpamAssasin. Can I make this request here in this issue instead?
Here's the SpamAssassin report: