#946: Packages are downloaded insecurely ----------------------------+----------------------------------------------- Reporter: cooldude | Owner: Type: defect | Status: new Priority: high | Milestone: Component: Cabal library | Version: 1.10.2.0 Severity: major | Keywords: Difficulty: unknown | Ghcversion: Platform: | ----------------------------+----------------------------------------------- It appears that when running cabal install package, the package is downloaded without any transport security. Anyone who can perform a man in the middle attack could tamper with the package that is being downloaded, resulting in a complete compromise of the cabal user. This makes it impossible to use cabal. The servers should utilize TLS, it is possible to get a free certificate from startcom if price is a concern. Additionally when packages are verified as non-malicious, they should be signed with a "cabal" signing key, and then the package signatures should be verified by cabal. -- Ticket URL: http://hackage.haskell.org/trac/hackage/ticket/946 Hackage http://haskell.org/cabal/ Hackage: Cabal and related projects