Can you please do a pull request on GitHub: https://github.com/haskell/cabal/pulls ?

My apologies, but I have no interest in using GitHub for a bunch of reasons. GitHub ToS require people to use their real names (which is not a problem for me, but dangerous for some people) as well as “defend GitHub against any claim, demand, suit or proceeding made or brought against GitHub by a third party” [1]. I’m also concerned that more and more people rely on a for-profit company, which may do whatever it wishes in the future. Last but not least, it’s powered by non-free software [2]. [1] https://help.github.com/articles/github-terms-of-service [2] https://www.gnu.org/philosophy/free-sw

On 2014-04-01 at 22:43:47 +0200, Nikita Karetnikov wrote:

Turns out cabal-install itself uses HTTP. (Try to grep for “hackage” in the source tree.) Is it due to the HTTP library, which doesn’t support HTTPS (4000.2.12 returns “user error (https not supported)”)?

Is there any interest in changing the current state of things? And if so, what is the best way to do it? Would you like to switch to a different library?

The main problem is, that cabal-install tries to rely only on HP packages; so for now HTTP is the only HTTP-library included in the HP, maybe a good place to start would be https://github.com/haskell/HTTP/issues/17 HTH, hvr

The big question we have to answer first is, how do we want to support SSL? Do we want to use an existing, well-tested, well scrutinized SSL implementation and FFI bind to it? If so, which one and why? If not, are we comfortable enough with writing a correct SSL implementation? That's very hard.

Why write your own? We could try to come up with a list of requirements, so every HTTPS library on Hackage could be evaluated. Is anyone knowledgeable of cabal-install interested in composing such a list?

On Thursday, April 3, 2014, Johan Tibell wrote:

On Thu, Apr 3, 2014 at 12:02 AM, Nikita Karetnikov javascript:_e(%7B%7D,'cvml','nikita@karetnikov.org');

...

wrote:

...

...

The big question we have to answer first is, how do we want to support SSL? Do we want to use an existing, well-tested, well scrutinized SSL implementation and FFI bind to it? If so, which one and why? If not, are we comfortable enough with writing a correct SSL implementation? That's very hard.

Why write your own? We could try to come up with a list of requirements, so every HTTPS library on Hackage could be evaluated. Is anyone knowledgeable of cabal-install interested in composing such a list?

"Write our own" as in "use a pure Haskell implementation of SSL from Hackage". This has been suggested when this question came up in the past and I'm skeptical to that from a security perspective.

If it works, how would it be worse than using no encryption whatsoever? Sure, maybe there would be a false sense of security, but it seems like a step in the right direction.

On Thu, Apr 3, 2014 at 8:38 AM, Bryan O'Sullivan wrote:

On Thu, Apr 3, 2014 at 7:44 AM, Bob Ippolito wrote:

...

If it works, how would it be worse than using no encryption whatsoever? Sure, maybe there would be a false sense of security, but it seems like a step in the right direction.

Presumably that's the problem. We'd have a possibly zero amount of end-to-end security, coupled with a possibly zero amount of trust in the remote endpoint, but we have 20 years of human factors experience demonstrating that people trust SSL by default even when they shouldn't.

Aren't we already well into the "people trust cabal-install by default even when they shouldn't" phase? :) For libraries that wrap a well scrutinized implementation, it appears that HsOpenSSL has some usage.

On 3 April 2014 17:38, Bryan O'Sullivan wrote:

Presumably that's the problem. We'd have a possibly zero amount of end-to-end security, coupled with a possibly zero amount of trust in the remote endpoint, but we have 20 years of human factors experience demonstrating that people trust SSL by default even when they shouldn't.

There was a suggestion to make Hackage digitally sign packages and ship the public key inside the cabal-install tarball. This could be used in addition to HTTPS downloads.