No matter what we do with cabal, it would be great if I could soon point
my browser at https://haskell.org *anyway*.
On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
> Of course, as long as Cabal itself is distributed through this same
> https-enabled site, you have the same PKI-backed security as just about
> any major website. This model has problems, yes, but it's good enough,
> and it's easy to use. If you really want to improve it (without
> impacting usability), have Google/the browser vendors pin the public
> cert for haskell.org <http://haskell.org>.
>
> On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
> <
haskell@patrickmylund.com <mailto:
haskell@patrickmylund.com>> wrote:
>
> PGP tends to present many usability issues, and in this case it
> would make more sense/provide a clearer win if there were many
> different, semi-untrusted hackage mirrors. Just enable HTTPS and
> have Cabal validate the server certificate against a CA pool of one.
> PKI/trusting obscure certificate authorities in Egypt and Syria is
> the biggest concern here, not somebody MITMing your initial Cabal
> installation (which in a lot of cases happens through apt-get or
> yum, anyway.)
>
>
> On Mon, Oct 29, 2012 at 12:34 AM, Changaco <
changaco@changaco.net
> <mailto:
changaco@changaco.net>> wrote:
>
> On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> > How do you get a copy of cabal while making sure that somebody
> hasn't MITMed you and replaced the PGP key?
>
> Ultimately it is a DNS problem. To establish a secure connection
> with
> certificate from the DNS, but that
> technology is not ready yet, so all you can do is check the key
> against
> as many sources as possible like Michael Walker said.
>
> On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> > So why not use HTTPS?
>
> Because it doesn't solve the problem.
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe@haskell.org <mailto:Haskell-Cafe@haskell.org>
> http://www.haskell.org/mailman/listinfo/haskell-cafe