(Since this thread was last active there have been very promising discussions on security that could see the day for OPAM 1.3.)
This list may be interested in the recent plan/proposal for security in Hackage (Haskell's package distribution infrastructure), which are basically "follow TUF": http://www.well-typed.com/blog/2015/04/improving-hackage-security/ On Mon, Mar 30, 2015 at 12:01 PM, ygrek <[email protected]> wrote: > On Sat, 17 Jan 2015 16:19:46 +0100 > Gabriel Scherer <[email protected]> wrote: > > > As far as I know, the current status is that OPAM checks downloaded > > packages against the checksum in opam-repository, so it protects > > against an attacker changing upstream releases, assuming the > > opam-repository remains trusted and there is no man-in-the-middle > > (MITM) attack when the user downloads the metadata -- afaik it uses > > only HTTP currently. > > Also note that client doesn't require checksums by default, and enabling > the option > to require checksums makes it abort on any repository-pinned package :( > > -- > _______________________________________________ > Platform mailing list > [email protected] > http://lists.ocaml.org/listinfo/platform >
_______________________________________________ Platform mailing list [email protected] http://lists.ocaml.org/listinfo/platform
