[Haskell-cafe] Ticking time bomb
tab at snarc.org
Thu Jan 31 09:15:39 CET 2013
On 01/30/2013 10:48 PM, Niklas Hambüchen wrote:
> You are right, I skipped over that this was actually a server-side
> exploit - sure, end-to-end signing will help here.
it helps also in the HTTP case; a MiTM wouldn't be able to change the
package without knowing the private key.
more to the point it also help the case with hackage mirrors (or a
corrupt hackage admin).
More information about the Haskell-Cafe