On Sat, 17 Jan 2015 16:19:46 +0100 Gabriel Scherer <[email protected]> wrote:
> As far as I know, the current status is that OPAM checks downloaded > packages against the checksum in opam-repository, so it protects > against an attacker changing upstream releases, assuming the > opam-repository remains trusted and there is no man-in-the-middle > (MITM) attack when the user downloads the metadata -- afaik it uses > only HTTP currently. Also note that client doesn't require checksums by default, and enabling the option to require checksums makes it abort on any repository-pinned package :( -- _______________________________________________ Platform mailing list [email protected] http://lists.ocaml.org/listinfo/platform
