[ocaml-platform] Secure OPAM?
Gabriel Scherer
gabriel.scherer at gmail.com
Fri Apr 17 08:52:08 BST 2015
(Since this thread was last active there have been very promising
discussions on security that could see the day for OPAM 1.3.)
This list may be interested in the recent plan/proposal for security in
Hackage (Haskell's package distribution infrastructure), which are
basically "follow TUF":
http://www.well-typed.com/blog/2015/04/improving-hackage-security/
On Mon, Mar 30, 2015 at 12:01 PM, ygrek <ygrek at autistici.org> wrote:
> On Sat, 17 Jan 2015 16:19:46 +0100
> Gabriel Scherer <gabriel.scherer at gmail.com> wrote:
>
> > As far as I know, the current status is that OPAM checks downloaded
> > packages against the checksum in opam-repository, so it protects
> > against an attacker changing upstream releases, assuming the
> > opam-repository remains trusted and there is no man-in-the-middle
> > (MITM) attack when the user downloads the metadata -- afaik it uses
> > only HTTP currently.
>
> Also note that client doesn't require checksums by default, and enabling
> the option
> to require checksums makes it abort on any repository-pinned package :(
>
> --
> _______________________________________________
> Platform mailing list
> Platform at lists.ocaml.org
> http://lists.ocaml.org/listinfo/platform
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ocaml.org/pipermail/platform/attachments/20150417/bd03d745/attachment.html>
More information about the Platform
mailing list