[Haskell-cafe] SSL support for hackage and cabal
Niklas Hambüchen
mail at nh2.me
Sun Nov 3 18:19:49 UTC 2013
On 03/11/13 17:49, Scott Lawrence wrote:
> Even if you do expose the private key to other people, there's no way
> for them to know that the administrator didn't also send it somewhere
> else -- you can't prove that somebody hasn't duplicated information,
> without making sure they don't have access to the information (which the
> admin must).
>
> At the end of the day, trusting admins is what almost always happens.
> The other route is for packages to be individually signed by developers.
> As I recall, that's been explicitly discussed and informally rejected
> here before, on the grounds that it makes the uploading process
> significantly more cumbersome for many people.
It is clear that putting HTTPS on the Hackage web site is the first step.
Then comes cabal SSL support, and then maybe in the future the package
signing.
Once again, could we please just go ahead and push forward that the SSL
certificate gets on the web server?
As Jason Dagit said:
We do have folks assigned to putting the cert in place and
configuring everything, they just need a bit more time
(More volunteers would help too, but that's longer term.)
Who are the folks, and what needs more time?
There seem to be a lot of volunteers around who would like to help (for
example, I have asked for this multiple times over the last years and
this thread shows that there are many more people interested in it).
More information about the Haskell-Cafe
mailing list