PGP tends to present many usability issues, and in this case it would make
more sense/provide a clearer win if there were many different,
semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate
the server certificate against a CA pool of one. PKI/trusting obscure
certificate authorities in Egypt and Syria is the biggest concern here, not
somebody MITMing your initial Cabal installation (which in a lot of cases
happens through apt-get or yum, anyway.)
On Mon, Oct 29, 2012 at 12:34 AM, Changaco
On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?
Ultimately it is a DNS problem. To establish a secure connection with haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said.
On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
So why not use HTTPS?
Because it doesn't solve the problem.
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe