<font face="verdana,sans-serif">Do it at home.</font><div><font face="verdana,sans-serif"><br></font></div><div><font face="verdana,sans-serif">If you're at an internet cafe, though, it'd be nice if you could trust cabal packages.</font></div>
<div><font face="verdana,sans-serif"><br></font></div><div><font face="verdana,sans-serif"> - Clark<br></font><br><div class="gmail_quote">On Sun, Oct 28, 2012 at 5:07 PM, Patrick Hurst <span dir="ltr"><<a href="mailto:phurst@amateurtopologist.com" target="_blank">phurst@amateurtopologist.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
On Oct 28, 2012, at 4:38 PM, Changaco <<a href="mailto:changaco@changaco.net">changaco@changaco.net</a>> wrote:<br>
<br>
> On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote:<br>
>> In this particular case, cabal can have the public part of the<br>
>> certificate built-in (as it has the web address built in). So once one<br>
>> has a verified installation of cabal, it can verify the server<br>
>> packages without being susceptible to MitM attack (no matter if<br>
>> they're PGP signed or X.509 signed).<br>
><br>
> This is PGP's security model, so it's probably better to use PGP keys.<br>
<br>
<br>
</div>How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org">Haskell-Cafe@haskell.org</a><br>
<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>
</div></div></blockquote></div><br></div>