28 Oct
2012
28 Oct
'12
8:42 p.m.
On Sun, Oct 28, 2012 at 1:45 PM, Patrick Hurst
On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what keys you trust, your scheme is no more secure than HTTPS)?
Well.. my dumb idea is that you include some trusted GPG keys with the cabal client itself? Obviously you must be getting cabal-install from a trusted source, or all the HTTPS in the world can't help you? I'm sure this idea is wrong somehow, but someone had to mention it ;) - jeremy