cabal-install: Replacing HTTP with HTTPS

Bob Ippolito bob at
Thu Apr 3 15:57:26 UTC 2014

On Thu, Apr 3, 2014 at 8:38 AM, Bryan O'Sullivan <bos at> wrote:

> On Thu, Apr 3, 2014 at 7:44 AM, Bob Ippolito <bob at> wrote:
>> If it works, how would it be worse than using no encryption
>> whatsoever? Sure, maybe there would be a false sense of security, but it
>> seems like a step in the right direction.
> Presumably that's the problem. We'd have a possibly zero amount of
> end-to-end security, coupled with a possibly zero amount of trust in the
> remote endpoint, but we have 20 years of human factors experience
> demonstrating that people trust SSL by default even when they shouldn't.

Aren't we already well into the "people trust cabal-install by default even
when they shouldn't" phase? :)

For libraries that wrap a well scrutinized implementation, it appears that
HsOpenSSL has some usage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the cabal-devel mailing list