nex3
marmalade-repo.org appears to have neither SSL/TLS nor package checksums
Correct me if I missed the checksums, but I couldn't find them anywhere.
As such, package downloads from marmalade-repo.org are trivially MITMable, giving arbitrary code execution on the client machine.
Ideally, you additionally want some manner for package maintainers/authors to upload signatures which are, at minimum, verified on the marmalade-repo.org server. Bonus points if signiture verificiation is done on the client side as well. Otherwise compromise of a maintainer's account means that a modified package could be uploaded and served to client. Compromising any maintainer's account shouldn't be difficult, as there is no SSL/TLS, and so passwords are sent in the clear.
this is dead now. marmalade is now run by me and the repo is http://github.com/nicferrier/elmarmalade
We still have no cert and no sigs but I am slowly working on those things.
