[Haskell-cafe] Ticking time bomb
Bob Ippolito
bob at redivi.com
Wed Jan 30 20:58:09 CET 2013
HTTPS doesn't really change anything if the server is compromised, it only
prevents bad things from happening in transit.
Sign the packages with GPG (or equivalent) before upload. The server never
sees the package author's private key, only the public key. Server and/or
client can warn or fail if the public key doesn't match their previous
credentials or the signature verification fails.
On Wed, Jan 30, 2013 at 11:44 AM, Niklas Hambüchen <mail at nh2.me> wrote:
> As long as we upload packages via plain HTTP, signing won't help though.
>
> On Wed 30 Jan 2013 19:27:32 GMT, Edward Z. Yang wrote:
> > https://status.heroku.com/incidents/489
> >
> > Unsigned Hackage packages are a ticking time bomb.
> >
> > Cheers,
> > Edward
> >
> > _______________________________________________
> > Haskell-Cafe mailing list
> > Haskell-Cafe at haskell.org
> > http://www.haskell.org/mailman/listinfo/haskell-cafe
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130130/4a3d7d1f/attachment.htm>
More information about the Haskell-Cafe
mailing list