#946: Packages are downloaded insecurely
----------------------------+-----------------------------------------------
Reporter: cooldude | Owner:
Type: defect | Status: new
Priority: high | Milestone:
Component: Cabal library | Version: 1.10.2.0
Severity: major | Keywords:
Difficulty: unknown | Ghcversion:
Platform: |
----------------------------+-----------------------------------------------
It appears that when running cabal install package, the package is
downloaded without any transport security.
Anyone who can perform a man in the middle attack could tamper with the
package that is being downloaded, resulting in a complete compromise of
the cabal user.
This makes it impossible to use cabal.
The servers should utilize TLS, it is possible to get a free certificate
from startcom if price is a concern.
Additionally when packages are verified as non-malicious, they should be
signed with a "cabal" signing key, and then the package signatures should
be verified by cabal.
--
Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/946>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects
_______________________________________________
cabal-devel mailing list
[email protected]
http://www.haskell.org/mailman/listinfo/cabal-devel
