X-Spam-Check-By:	sourceware.org
To:	cygwin AT cygwin DOT com
Subject:	Re: MD5s of setup.exe on mirrors.
References:	<5qd5179mvu DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <4644CB03 DOT 9070707 AT determina DOT com>
From:	ls-cygwin-2006 AT m-e-leypold DOT de
Date:	Sat, 12 May 2007 10:53:43 +0200
In-Reply-To:	<4644CB03.9070707@determina.com> (Alexander Sotirov's message of "Fri, 11 May 2007 12:58:59 -0700")
Message-ID:	<o7d5164e3s.fsf@hod.lan.m-e-leypold.de>
User-Agent:	Some cool user agent (SCUG)
MIME-Version:	1.0
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

Alexander Sotirov <asotirov AT determina DOT com> writes:

> ls-cygwin-2006 AT m-e-leypold DOT de wrote:
>> Cygwin mirrors have in their toplevel a setup.exe and an md5.sum. The
>> m5sum is
>> 
>>   ae1944f528338033bab3b4710d5bd736  setup.bz2
>>   b31ddcef84f25919a5d3184167b4a90d  setup.exe
>>   0503889504b7ff0b23e65586a522b3ad  setup.ini
>> 
>> whereas the setup.exe has actually the md5sum:
>> 
>>   fbc848393ed05ef4f51a253f75bcafeb
>> 
>> I checked that for ftp://mirror.switch.ch/mirror/cygwin/setup.exe and
>> ftp://ftp.mirror.ac.uk/sites/sources.redhat.com/ftp/cygwin/setup.exe
>> and some others.
>
> I reported this in January: http://cygwin.com/ml/cygwin/2007-02/msg00006.html
>
> Nobody seemed to care. Considering the fact that MD5 collisions are now trivial
> to generate, it probably doesn't matter much anyways - the fact that your copy
> of setup.exe has the right MD5 doesn't mean that it hasn't been tampered with.

Hi Alex,

BTW, thanks for your references in your January post to sources on
MD5-collision -- I hadn't realized that the risk of a successful
attack is far from purely academic now (though, as I understand,
creating a collision between to meaningful documents/programs seems to
require that the attacker controls both, which isn't the case here).

WRT setup.exe: I now see, that you also referred to the cygwin ftp
site (which I ignored since it's not linked on the mirrors page at
cygwin.com. Setup.exe there has the right md5sum (the setup.exe I've
been referring to was the one linked from the http site pages).

Since I assume that the mirrors pull from the cygwin ftp site
something even stranger is happening there. Since all mirrors I
checked so far are carrying the changed setup.exe, I'd locate the
common cause for all that somewhere at the cygwin side rather than at
the mirrors.

@ the cygwin team: I suggest you touch(1) setup.exe once at the master
site to trigger a new transfer to the mirrors and see what
happens. This is a thing you can do for all of us and will cost you
hardly anything. I don't see the mirror users on the other side
writing to the all mirror admins -- which, if I'm right, would have to
come back to you anyway.

And yes, I agree: The thought that the mirrors can get out of sync in
this way with the master site is somewhat unsettling, despite the fact
that there are md5sums for every source and binary package. Reminds
me, that my mirroring-to-CD tool should actively check all md5sums
before creating the ISO image.

Regards -- Markus


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -