[Haskell-cafe] [Security] Put haskell.org on https
Patrick Mylund Nielsen
haskell at patrickmylund.com
Mon Oct 29 00:45:44 CET 2012
PGP tends to present many usability issues, and in this case it would make
more sense/provide a clearer win if there were many different,
semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate
the server certificate against a CA pool of one. PKI/trusting obscure
certificate authorities in Egypt and Syria is the biggest concern here, not
somebody MITMing your initial Cabal installation (which in a lot of cases
happens through apt-get or yum, anyway.)
On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco at changaco.net> wrote:
> On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> > How do you get a copy of cabal while making sure that somebody hasn't
> MITMed you and replaced the PGP key?
>
> Ultimately it is a DNS problem. To establish a secure connection with
> haskell.org you'd have to get the certificate from the DNS, but that
> technology is not ready yet, so all you can do is check the key against
> as many sources as possible like Michael Walker said.
>
> On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> > So why not use HTTPS?
>
> Because it doesn't solve the problem.
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20121029/166b0098/attachment.htm>
More information about the Haskell-Cafe
mailing list