cabal-install: Replacing HTTP with HTTPS

Bob Ippolito bob at redivi.com
Thu Apr 3 14:44:58 UTC 2014


On Thursday, April 3, 2014, Johan Tibell <johan.tibell at gmail.com> wrote:

> On Thu, Apr 3, 2014 at 12:02 AM, Nikita Karetnikov <nikita at karetnikov.org<javascript:_e(%7B%7D,'cvml','nikita at karetnikov.org');>
> > wrote:
>
>> > The big question we have to answer first is, how do we want to support
>> SSL?
>> > Do we want to use an existing, well-tested, well scrutinized SSL
>> > implementation and FFI bind to it? If so, which one and why? If not,
>> are we
>> > comfortable enough with writing a correct SSL implementation? That's
>> very
>> > hard.
>>
>> Why write your own?  We could try to come up with a list of
>> requirements, so every HTTPS library on Hackage could be evaluated.  Is
>> anyone knowledgeable of cabal-install interested in composing such a
>> list?
>>
>
> "Write our own" as in "use a pure Haskell implementation of SSL from
> Hackage". This has been suggested when this question came up in the past
> and I'm skeptical to that from a security perspective.
>

If it works, how would it be worse than using no encryption
whatsoever? Sure, maybe there would be a false sense of security, but it
seems like a step in the right direction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140403/3f2070a0/attachment.html>


More information about the cabal-devel mailing list