[Haskell-cafe] Ticking time bomb

[Vincent Hanquez]

On 01/30/2013 10:48 PM, Niklas Hambüchen wrote:
> You are right, I skipped over that this was actually a server-side
> exploit - sure, end-to-end signing will help here.
>
it helps also in the HTTP case; a MiTM wouldn't be able to change the 
package without knowing the private key.
more to the point it also help the case with hackage mirrors (or a 
corrupt hackage admin).

-- 
Vincent