[Haskell-cafe] [Security] Put haskell.org on https

Petr P petr.mvd at gmail.com
Sun Oct 28 15:53:04 CET 2012


2012/10/28 Iustin Pop <iusty at k1024.org>:
> On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
>> does cabal need to do any authenticated stuff? For downloading
>> packages I think HTTP is perfectly fine. So we could have HTTP for
>> cabal download only and HTTPS for everything else.
>
> Kindly disagree here. Ensuring that packages are downloaded
> safely/correctly without MITM attacks is also important. Even if as an
> option.

Good point. But if cabal+https is a problem, this could be solved by
other means too, for example by signing the packages.

Best regards,
Petr Pudlak



More information about the Haskell-Cafe mailing list