[Haskell-cafe] Ticking time bomb

Edward Z. Yang ezyang at MIT.EDU
Wed Jan 30 20:47:00 CET 2013

> As long as we upload packages via plain HTTP, signing won't help though.

I don't think that's true?  If the package is tampered with, then the
signature will be invalid; if the signature is also forged, then the
private key is compromised and we can blacklist it.  We care only
about integrity, not secrecy.


More information about the Haskell-Cafe mailing list