HTTPS doesn't really change anything if the server is compromised, it only
prevents bad things from happening in transit.
Sign the packages with GPG (or equivalent) before upload. The server never
sees the package author's private key, only the public key. Server and/or
client can warn or fail if the public key doesn't match their previous
credentials or the signature verification fails.
On Wed, Jan 30, 2013 at 11:44 AM, Niklas Hambüchen
As long as we upload packages via plain HTTP, signing won't help though.
On Wed 30 Jan 2013 19:27:32 GMT, Edward Z. Yang wrote:
https://status.heroku.com/incidents/489
Unsigned Hackage packages are a ticking time bomb.
Cheers, Edward
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe