cabal-install: Replacing HTTP with HTTPS

Bob Ippolito bob at
Thu Apr 3 14:44:58 UTC 2014

On Thursday, April 3, 2014, Johan Tibell <johan.tibell at> wrote:

> On Thu, Apr 3, 2014 at 12:02 AM, Nikita Karetnikov <nikita at<javascript:_e(%7B%7D,'cvml','nikita at');>
> > wrote:
>> > The big question we have to answer first is, how do we want to support
>> SSL?
>> > Do we want to use an existing, well-tested, well scrutinized SSL
>> > implementation and FFI bind to it? If so, which one and why? If not,
>> are we
>> > comfortable enough with writing a correct SSL implementation? That's
>> very
>> > hard.
>> Why write your own?  We could try to come up with a list of
>> requirements, so every HTTPS library on Hackage could be evaluated.  Is
>> anyone knowledgeable of cabal-install interested in composing such a
>> list?
> "Write our own" as in "use a pure Haskell implementation of SSL from
> Hackage". This has been suggested when this question came up in the past
> and I'm skeptical to that from a security perspective.

If it works, how would it be worse than using no encryption
whatsoever? Sure, maybe there would be a false sense of security, but it
seems like a step in the right direction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the cabal-devel mailing list