[Haskell-cafe] [Security] Put haskell.org on https
jeremy at n-heptane.com
Sun Oct 28 21:42:41 CET 2012
On Sun, Oct 28, 2012 at 1:45 PM, Patrick Hurst
<phurst at amateurtopologist.com> wrote:
> On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what keys you trust, your scheme is no more secure than HTTPS)?
Well.. my dumb idea is that you include some trusted GPG keys with the
cabal client itself? Obviously you must be getting cabal-install from
a trusted source, or all the HTTPS in the world can't help you?
I'm sure this idea is wrong somehow, but someone had to mention it ;)
More information about the Haskell-Cafe