Ticket #946 (new defect)
Opened 13 months ago
Packages are downloaded insecurely
| Reported by: | cooldude | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | Cabal library | Version: | 1.10.2.0 |
| Severity: | major | Keywords: | |
| Cc: | Difficulty: | unknown | |
| GHC Version: | Platform: |
Description
It appears that when running cabal install package, the package is downloaded without any transport security.
Anyone who can perform a man in the middle attack could tamper with the package that is being downloaded, resulting in a complete compromise of the cabal user.
This makes it impossible to use cabal.
The servers should utilize TLS, it is possible to get a free certificate from startcom if price is a concern.
Additionally when packages are verified as non-malicious, they should be signed with a "cabal" signing key, and then the package signatures should be verified by cabal.
Note: See
TracTickets for help on using
tickets.
