[ocaml-platform] Secure OPAM?

ygrek ygrek at autistici.org
Mon Mar 30 11:01:27 BST 2015

On Sat, 17 Jan 2015 16:19:46 +0100
Gabriel Scherer <gabriel.scherer at gmail.com> wrote:

> As far as I know, the current status is that OPAM checks downloaded
> packages against the checksum in opam-repository, so it protects
> against an attacker changing upstream releases, assuming the
> opam-repository remains trusted and there is no man-in-the-middle
> (MITM) attack when the user downloads the metadata -- afaik it uses
> only HTTP currently.

Also note that client doesn't require checksums by default, and enabling the option
to require checksums makes it abort on any repository-pinned package :(


More information about the Platform mailing list