28 Oct
2012
28 Oct
'12
2:53 p.m.
2012/10/28 Iustin Pop
On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else.
Kindly disagree here. Ensuring that packages are downloaded safely/correctly without MITM attacks is also important. Even if as an option.
Good point. But if cabal+https is a problem, this could be solved by other means too, for example by signing the packages. Best regards, Petr Pudlak