id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,difficulty,ghcversion,platform
946,Packages are downloaded insecurely,cooldude,,"It appears that when running cabal install package, the package is downloaded without any transport security.

Anyone who can perform a man in the middle attack could tamper with the package that is being downloaded, resulting in a complete compromise of the cabal user.

This makes it impossible to use cabal.

The servers should utilize TLS, it is possible to get a free certificate from startcom if price is a concern.

Additionally when packages are verified as non-malicious, they should be signed with a ""cabal"" signing key, and then the package signatures should be verified by cabal.",defect,new,high,,Cabal library,1.10.2.0,major,,,,unknown,,