cabal-install: Replacing HTTP with HTTPS

Bob Ippolito bob at redivi.com
Thu Apr 3 15:57:26 UTC 2014


On Thu, Apr 3, 2014 at 8:38 AM, Bryan O'Sullivan <bos at serpentine.com> wrote:

>
> On Thu, Apr 3, 2014 at 7:44 AM, Bob Ippolito <bob at redivi.com> wrote:
>
>> If it works, how would it be worse than using no encryption
>> whatsoever? Sure, maybe there would be a false sense of security, but it
>> seems like a step in the right direction.
>>
>
> Presumably that's the problem. We'd have a possibly zero amount of
> end-to-end security, coupled with a possibly zero amount of trust in the
> remote endpoint, but we have 20 years of human factors experience
> demonstrating that people trust SSL by default even when they shouldn't.
>

Aren't we already well into the "people trust cabal-install by default even
when they shouldn't" phase? :)

For libraries that wrap a well scrutinized implementation, it appears that
HsOpenSSL has some usage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140403/94918acc/attachment.html>


More information about the cabal-devel mailing list