31 Jan
2013
31 Jan
'13
3:15 a.m.
On 01/30/2013 10:48 PM, Niklas Hambüchen wrote:
You are right, I skipped over that this was actually a server-side exploit - sure, end-to-end signing will help here.
it helps also in the HTTP case; a MiTM wouldn't be able to change the package without knowing the private key. more to the point it also help the case with hackage mirrors (or a corrupt hackage admin). -- Vincent