4 Apr
2014
4 Apr
'14
10:41 p.m.
On 3 April 2014 17:38, Bryan O'Sullivan
Presumably that's the problem. We'd have a possibly zero amount of end-to-end security, coupled with a possibly zero amount of trust in the remote endpoint, but we have 20 years of human factors experience demonstrating that people trust SSL by default even when they shouldn't.
There was a suggestion to make Hackage digitally sign packages and ship the public key inside the cabal-install tarball. This could be used in addition to HTTPS downloads.