This might belong in hackage-security, not sure.

Suppose that you want to use an additional package repository P to distribute semi-private packages that you don't want to put on Hackage for some reason. Nonetheless, you still need to use Hackage for everything else.

This opens you up to an attack whereby someone else uploads a package with the same name to Hackage with a higher version number, and you unsuspectingly start using it next time you update your index.

We can't stop people uploading packages to Hackage - this could all happen innocently and the whole point is that you're deliberately not squatting the names on Hackage.

It would be nice if there was a technical solution to this. The options we have today are:

• Put P last in active-repositories. This means that P will be preferred if there is a name+version clash, but doesn't stop an attacker from uploading a newer version, which won't clash :(
• Use :override. This makes you secure! It means that you will never pick a version of X from Hackage so long as P contains a version of X. But it prevents you from ever uploading X to Hackage yourself, because your old versions of X will stick around and prevent the newer ones on Hackage from being chosen :(
• Squat the names on Hackage :(
• Give up and just hope nobody attacks you :(

:override comes closest to getting us what we want. Possibly there's a design tweak that would make this all work nicely. I don't have an idea right now but I thought I'd open this issue in case anyone else does.

(Q: what do other package distribution systems do in this kind of situation?)