Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org.

On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen <haskell@patrickmylund.com> wrote:
PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.)


On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco@changaco.net> wrote:
On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?

Ultimately it is a DNS problem. To establish a secure connection with
haskell.org you'd have to get the certificate from the DNS, but that
technology is not ready yet, so all you can do is check the key against
as many sources as possible like Michael Walker said.

On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> So why not use HTTPS?

Because it doesn't solve the problem.

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe