saveCreds (
) creates
~/.stack/upload/credentials.json
(containing Hackage username and password) without explicit file permissions, which results in the default
umask
being used, which is typically
rw-rw-r
, e.g. on Ubuntu.
This means that when your home directory is also world-readable (on Ubuntu it is, rwxr-xr-x), other users can grab your Hackage credentials.
For single user systems this is less problematic but not ideal for e.g. university setups where all users' homes are mounted over NFS.
The fix would be for stack to create this file with rw------- permissions (and ideally check this when reading so that upgrades from old versions of stack can notice the problem).
Independently, as a person who generally dislikes any on-disk plaintext passwords, I'd prefer if the default behaviour was not to save the credentials on disk, but use a flag for that.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4