#946: Packages are downloaded insecurely ----------------------------+----------------------------------------------- Reporter: cooldude | Owner: Type: defect | Status: new Priority: high | Milestone: Component: Cabal library | Version: 1.10.2.0 Severity: major | Keywords: Difficulty: unknown | Ghcversion: Platform: | ----------------------------+----------------------------------------------- It appears that when running cabal install package, the package is downloaded without any transport security.
Anyone who can perform a man in the middle attack could tamper with the package that is being downloaded, resulting in a complete compromise of the cabal user. This makes it impossible to use cabal. The servers should utilize TLS, it is possible to get a free certificate from startcom if price is a concern. Additionally when packages are verified as non-malicious, they should be signed with a "cabal" signing key, and then the package signatures should be verified by cabal. -- Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/946> Hackage <http://haskell.org/cabal/> Hackage: Cabal and related projects _______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel