Making cabal-install SSL capable

Michael Snoyman michael at snoyman.com
Tue Apr 28 04:08:38 UTC 2015


+1. Oddly enough, I was just in the process of filing a bug report related
to this on something I discovered yesterday, namely that `cabal upload`
uses HTTP basic authentication over HTTP, exposing username/password to
anyone sniffing the connection.

I offered Duncan last week that I'd port cabal-install over to
http-client/http-client-tls to add SSL support. That offer still stands.

On Tue, Apr 28, 2015 at 6:55 AM Gershom B <gershomb at gmail.com> wrote:

> So there are many discussions over various hackage security schemes, and
> there are a variety of takes on the different elements of how we could make
> package distribution more secure.
>
> However, everyone seems to agree that it would be unambiguously better if
> the cabal install executable were able to communicate over ssl.
>
> I looked at the previous discussion on this topic [1], and it seems that
> HsOpenSSL and tls were both considered. I don’t have any experience with
> how cross-platform compatible HsOpenSSL is (i.e. if it is sufficiently easy
> to use for both Windows and OS X that we can just encourage people to
> “cabal install cabal-install” and things will just work). I don’t know if
> anyone else can speak to this? Furthermore, of course, redistributing
> cabal-install binaries could potentially be more of a pain with links to
> external c libraries. I’m not quite sure how much an issue this would be.
> Meanwhile, tls is certainly cross-platform, but there is the question about
> how trustworthy it is, as it is not nearly as widely used and vetted as
> openssl.
>
> Also, we have the option of simply shelling out to curl, wget, or the
> appropriate powershell command (on windows 7 or above you get those by
> default).
>
> So rather than rely on either HsOpenSSL or tls, we could also teach cabal
> to probe for one of the appropriate executables on first run, save that
> configuration, and warn if no such executable is available (allowing the
> user to fall back to http with warnings indefinitely).
>
> I would like to pursue getting SSL into cabal by any of these three
> avenues. What do people feel about the relative tradeoffs of these options?
> Honestly, I lean towards simply using the tls package, because https is
> ultimately only going to be a complimentary aspect of our security
> architecture plans and not central to it. And a pure-haskell dependency is
> the most logical approach. If people find too much fault with that
> approach, I would be inclined to shell out as the next option, with
> HsOpenSSL as the last option only because I worry about too many “unknown
> unknowns” of the sort I listed above. But if others have more experience
> with these approaches, proposals are welcome!
>
> —Gershom
> _______________________________________________
> cabal-devel mailing list
> cabal-devel at haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/cabal-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/cabal-devel/attachments/20150428/b5cf9e68/attachment.html>


More information about the cabal-devel mailing list