[Haskell-cafe] Ticking time bomb

Vincent Hanquez tab at snarc.org
Thu Jan 31 09:15:39 CET 2013


On 01/30/2013 10:48 PM, Niklas Hambüchen wrote:
> You are right, I skipped over that this was actually a server-side
> exploit - sure, end-to-end signing will help here.
>
it helps also in the HTTP case; a MiTM wouldn't be able to change the 
package without knowing the private key.
more to the point it also help the case with hackage mirrors (or a 
corrupt hackage admin).

-- 
Vincent



More information about the Haskell-Cafe mailing list