One more time, SSL vs GPG was Re: hackage, cabal-get, and security

Malcolm Wallace Malcolm.Wallace at
Thu May 19 09:59:50 EDT 2005

I'm no expert on any of this, but from the descriptions given so far on
this mailing list, I think you have oversimplified the differences here.

> GPG secures documents, not interactions.
> SSL secures interactions, not documents


> Hackage is an interaction not a document.

Hackage is an interaction /over/ documents.

> Therefore, SSL can secure Hackage, but GPG can't.

Wrong.  SSL can secure the transport layer of document transmission,
but does nothing towards authenticating the documents themselves.
Garbage is still garbage, even if it is sent securely.

GPG authenticates the documents, which means it does not matter
whether the transport layer is secure or not - I can still be sure
the document is uncompromised.

> GPG requires authors to learn GPG and attend key signing parties.
> SSL requires authors to learn nothing.
> Therefore, SSL is easier for authors.

Provided the author doesn't mind an attacker replacing their package
with a compromised one, with no immediate means of detection, and no
easy way to alert users when the intrusion is detected.


More information about the Libraries mailing list