28 Oct
2012
28 Oct
'12
9:07 p.m.
On Oct 28, 2012, at 4:38 PM, Changaco
On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote:
In this particular case, cabal can have the public part of the certificate built-in (as it has the web address built in). So once one has a verified installation of cabal, it can verify the server packages without being susceptible to MitM attack (no matter if they're PGP signed or X.509 signed).
This is PGP's security model, so it's probably better to use PGP keys.
How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?