Mail Archives: cygwin/2007/05/14/15:53:17
On Mon, May 14, 2007 at 03:50:16PM -0400, Larry Hall (Cygwin) wrote:
>Alexander Sotirov wrote:
>> Christopher Faylor wrote:
>>>That + if you want to talk about trust then you should trust the method
>>>that we advertise for installing cygwin which is to click on the
>>>"Install Cygwin Now!" link.
>>
>>Are you saying that I should trust setup.exe downloaded from cygwin.com
>>more than setup.exe downloaded from a mirror? That doesn't make sense.
>>
>>Even if I download setup.exe from cygwin.com, it still fetches the
>>package data from a mirror. As far as I know the package data is not
>>signed, so setup.exe cannot verify that is has not been tampered with.
>>If a mirror has a modified bash package with a malicious binary in it,
>>the result will be no different than running an untrusted setup.exe.
>>
>>In fact, the mirror list used by setup.exe does not contain the
>>official ftp.cygwin.com site, giving users no choice but to use (and
>>trust) mirrors.
>
>Do you actually have a question or do you just want to speak your
>piece? Seems to me that you're asking questions but then not really
>paying attention to the answers, even when they come from a project
>leader. Perhaps you want to come at this again and clarify whether
>you're looking for information or just want to make a statement.
No, please. Can't we just drop this? This is obviously just one of
those pointless cyclic usenet discussions which doesn't go anywhere.
cgf
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -