HTTPS doesn't really change anything if the server is compromised, it only prevents bad things from happening in transit.
Sign the packages with GPG (or equivalent) before upload. The server never sees the package author's private key, only the public key. Server and/or client can warn or fail if the public key doesn't match their previous credentials or the signature verification fails. On Wed, Jan 30, 2013 at 11:44 AM, Niklas Hambüchen <m...@nh2.me> wrote: > As long as we upload packages via plain HTTP, signing won't help though. > > On Wed 30 Jan 2013 19:27:32 GMT, Edward Z. Yang wrote: > > https://status.heroku.com/incidents/489 > > > > Unsigned Hackage packages are a ticking time bomb. > > > > Cheers, > > Edward > > > > _______________________________________________ > > Haskell-Cafe mailing list > > Haskell-Cafe@haskell.org > > http://www.haskell.org/mailman/listinfo/haskell-cafe > > _______________________________________________ > Haskell-Cafe mailing list > Haskell-Cafe@haskell.org > http://www.haskell.org/mailman/listinfo/haskell-cafe >
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
