Making cabal-install SSL capable
spam at scientician.net
Tue Apr 28 15:51:52 UTC 2015
On 28-04-2015 16:58, Duncan Coutts wrote:
> On Mon, 2015-04-27 at 23:55 -0400, Gershom B wrote:
>> I would like to pursue getting SSL into cabal by any of these three
>> avenues. What do people feel about the relative tradeoffs of these
>> options? Honestly, I lean towards simply using the tls package,
>> because https is ultimately only going to be a complimentary aspect of
>> our security architecture plans and not central to it. And a
>> pure-haskell dependency is the most logical approach. If people find
>> too much fault with that approach, I would be inclined to shell out as
>> the next option, with HsOpenSSL as the last option only because I
>> worry about too many “unknown unknowns” of the sort I listed above.
>> But if others have more experience with these approaches, proposals
>> are welcome!
> My suggestion is that in the short term we use an external curl binary
> if it happens to be available, and fallback to digest auth if not.
> If/when we are in a position to have dependencies on decent http(s)
> libraries then we should use those.
I wonder what curl's defaults are wrt. accepting self-signed certs
and/or certs without a valid trust chain in the system's default
certificate store. I guess someone would have to go through all the
options and see what's necessary here.
(I guess there might be some issues here with old versions of "curl" vs.
newer versions, but at least some of the curl options have an "Added in
X.Y.Z" which I could be used to guide decisions here.)
More information about the cabal-devel