[Hackage] #946: Packages are downloaded insecurely

Hackage cvs-ghc at haskell.org
Thu Apr 26 12:16:58 CEST 2012

#946: Packages are downloaded insecurely
  Reporter:  cooldude       |        Owner:          
      Type:  defect         |       Status:  new     
  Priority:  high           |    Milestone:          
 Component:  Cabal library  |      Version:
  Severity:  major          |     Keywords:          
Difficulty:  unknown        |   Ghcversion:          
  Platform:                 |  
 It appears that when running cabal install package, the package is
 downloaded without any transport security.

 Anyone who can perform a man in the middle attack could tamper with the
 package that is being downloaded, resulting in a complete compromise of
 the cabal user.

 This makes it impossible to use cabal.

 The servers should utilize TLS, it is possible to get a free certificate
 from startcom if price is a concern.

 Additionally when packages are verified as non-malicious, they should be
 signed with a "cabal" signing key, and then the package signatures should
 be verified by cabal.

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/946>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list