PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.)<br>
<br><div class="gmail_quote">On Mon, Oct 29, 2012 at 12:34 AM, Changaco <span dir="ltr">&lt;<a href="mailto:changaco@changaco.net" target="_blank">changaco@changaco.net</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:<br>
&gt; How do you get a copy of cabal while making sure that somebody hasn&#39;t MITMed you and replaced the PGP key?<br>
<br>
</div>Ultimately it is a DNS problem. To establish a secure connection with<br>
<a href="http://haskell.org" target="_blank">haskell.org</a> you&#39;d have to get the certificate from the DNS, but that<br>
technology is not ready yet, so all you can do is check the key against<br>
as many sources as possible like Michael Walker said.<br>
<div class="im"><br>
On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:<br>
&gt; So why not use HTTPS?<br>
<br>
</div>Because it doesn&#39;t solve the problem.<br>
<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org">Haskell-Cafe@haskell.org</a><br>
<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>
</div></div></blockquote></div><br>