Support HTTP authentication for updating package lists and downloading packages #2761
Comments
IIRC this is implemented in HEAD. |
|
@23Skidoo can you point to a commit? I found the one for adding HTTPS support but not the one for doing auth on cabal update and downloading packages... |
|
I was thinking of #2627.
Right, this is not implemented. |
…[Enables workaround for haskell#2761]
|
Sending the password in the URL is a very bad idea — much infrastructure assumes that URLs are not confidential and they are almost certain to be logged, etc. Instead, the password must be sent separately from the URL. Furthermore, sending a password over plaintext HTTP should be disabled. |
Right. The top-level |
|
Do we have anyone committed to making this happen for 2.0? This doesn't seem like a blocker. |
Don't think so. |
|
Is this fixed by #7630? |
|
I think it was half-fixed already (for wget) and now that fixes it with curl, which should suffice! Note that the above concern about passwords not getting sent in the url is fine, afaik -- i.e. they're specified in the url in the syntax, but the transport handling handles them separately. |
Users running private Hackage instances may wish to reverse proxy though a server that provides HTTP authentication. Cabal should be configurable with per-repository usernames and passwords to provide to repository servers when asked for authentication. This, in conjunction with #2760, would provide a great deal more security for users running private Hackage instances.
The text was updated successfully, but these errors were encountered: