[Haskell-cafe] [Security] Put haskell.org on https

Iustin Pop iusty at k1024.org
Sun Oct 28 16:06:59 CET 2012

On Sun, Oct 28, 2012 at 03:53:04PM +0100, Petr P wrote:
> 2012/10/28 Iustin Pop <iusty at k1024.org>:
> > On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
> >> does cabal need to do any authenticated stuff? For downloading
> >> packages I think HTTP is perfectly fine. So we could have HTTP for
> >> cabal download only and HTTPS for everything else.
> >
> > Kindly disagree here. Ensuring that packages are downloaded
> > safely/correctly without MITM attacks is also important. Even if as an
> > option.
> Good point. But if cabal+https is a problem, this could be solved by
> other means too, for example by signing the packages.

Well, I agree, but then the same could be applied on upload too, like
Debian does - instead of user+pw, register a GPG key.


More information about the Haskell-Cafe mailing list