Mail Archives: cygwin/2000/07/07/22:41:56
> What about some of the sites like http://cygutils.netpedia.net/ etc? are
> they trusted/certified too?
>
Trusted by whom? How *much* trust?
I maintain the cygutils site; everything on that site was built by me
personally. However, my machine could be infected, or the netpedia host
could get hacked, or someone could man-in-the-middle as I'm uploading a
new tarball. Or man-in-the-middle you as you're downloading it. There's
*ALWAYS* a risk when you download stuff from the internet. For that
matter, you don't know me from Adam; perhaps I'm a black hat. I say that
I am not, but why believe me?
As DJ said, sites (and people) *earn* trust. Reputation and past history
count for far more than other, more technological means of validation
and authentication. I *could* get a PGP key, get it certified into a
web-of-trust, sign the packages, etc, etc. I've decided instead to
provide checksums for the packages themselves using md5sum -- but that
only protects you against corrupted downloads. Besides, PGP keys &
webs-of-trust only indicate that someone *else* that you don't know
verified that I am who I say I am, and that a third person you don't
know verified them, etc. etc.
You just have to trust me (and netpedia, and their security, and my
personal virus precautions) that the tarballs themselves don't contain
(trojans | virii | worms).
You don't have to trust me, or any other site. Just download from
somewhere else. Again, you don't know me or the proprietor of any
specific site. For my part, I won't be offended if you choose to go
elsewhere. :-)
--Chuck
--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com
- Raw text -