Mail Archives: cygwin/2010/03/16/04:53:36
On Tue, Mar 16, 2010 at 3:25 AM, Steven Monai wrote:
[snip]
> IT departments are becoming increasingly security conscious. That's
> probably why the OP had trouble downloading setup.exe. It wasn't because
> his IT was "brain-dead", but because there are legitimate security
> concerns about downloading an unsigned exe over a non-SSL-authenticated
> channel.
Unfortunately, many IT departments follow the "We must do something.
This is something. Therefore we must do this." action plan :/
Installing a webfilter falls into this category, IMO.
> I suggest people inform themselves about the current state of art in
> "man-in-the-middle" hijacking attacks, because the means by which
> cygwin.com currently distributes setup.exe is vulnerable to a MITM
> surreptitiously delivering a trojan setup.exe in place of the actual.
> For this reason, I caution Cygwin users against downloading setup.exe
> over unsafe networks (e.g. public wireless hotspots, hotel networks, etc.).
Or the Internet, in general :)
Perhaps the MD5 and/or SHA1 checksums for the current setup.exe should
be published (and updated every time there's a new release) next to
the download link (like Apache does, for example)
--
Life is complex, with real and imaginary parts
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -