Re: cabal-install: Replacing HTTP with HTTPS

On Thursday, April 3, 2014, Johan Tibell wrote:

On Thu, Apr 3, 2014 at 12:02 AM, Nikita Karetnikov javascript:_e(%7B%7D,'cvml','nikita@karetnikov.org');

...

wrote:

...

...

The big question we have to answer first is, how do we want to support SSL? Do we want to use an existing, well-tested, well scrutinized SSL implementation and FFI bind to it? If so, which one and why? If not, are we comfortable enough with writing a correct SSL implementation? That's very hard.

Why write your own? We could try to come up with a list of requirements, so every HTTPS library on Hackage could be evaluated. Is anyone knowledgeable of cabal-install interested in composing such a list?

"Write our own" as in "use a pure Haskell implementation of SSL from Hackage". This has been suggested when this question came up in the past and I'm skeptical to that from a security perspective.

If it works, how would it be worse than using no encryption whatsoever? Sure, maybe there would be a false sense of security, but it seems like a step in the right direction.