[Hackage] #946: Packages are downloaded insecurely
Hackage
cvs-ghc at haskell.org
Thu Apr 26 12:16:58 CEST 2012
#946: Packages are downloaded insecurely
----------------------------+-----------------------------------------------
Reporter: cooldude | Owner:
Type: defect | Status: new
Priority: high | Milestone:
Component: Cabal library | Version: 1.10.2.0
Severity: major | Keywords:
Difficulty: unknown | Ghcversion:
Platform: |
----------------------------+-----------------------------------------------
It appears that when running cabal install package, the package is
downloaded without any transport security.
Anyone who can perform a man in the middle attack could tamper with the
package that is being downloaded, resulting in a complete compromise of
the cabal user.
This makes it impossible to use cabal.
The servers should utilize TLS, it is possible to get a free certificate
from startcom if price is a concern.
Additionally when packages are verified as non-malicious, they should be
signed with a "cabal" signing key, and then the package signatures should
be verified by cabal.
--
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/946>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects
More information about the cabal-devel
mailing list