Mail Archives: cygwin/2019/03/12/16:35:21

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/12/16:35:21

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; q=dns; s=default; b=eUTg6g6mRYUrgepe

whA2/XNNScAiFO15wfPJ7ZkAv6GoZtsEmC31XWJW+bQXB0Ii0u7ufvel14GSa2cm

RlS1LhMbU21otMM6wrbh/AJVoIw9bKm/fkmZMqVF2uJSIIJm8etMMe5uVYKlqPLi

IqMvFqyB22ocszCMrKoO4FJehV0=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; s=default; bh=naeARgTfT2DtmpewM0RL6+

VIEAk=; b=ny3c8zAhFJtUWfOcNfI520ZOwLcAmTwr/BLqETs12zAadDgmsf4j5u

d0FWMc4wJ5ntSSEXwpQHkYcxj7IdxstmjWf8S1VC6aV1KMIYxR2aEX2mVJ8aB/2u

LJx5qPXAxItj39WirAs1kBXtTLJvSGA5tWOJK7tyQXgPdL5tR19qo=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=UD:ru, terrible, H*M:yandex, H*RU:sk:forward

X-HELO: forward100j.mail.yandex.net

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552422902; bh=TrXc0QYGJiB6NsjMT88VIqa/dMat9K0ANqMIiPtR/R0=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=lz0/rQc/B2JToBlpY8coQKrgwiZA/QqiX7ugIE7kCkEcc955I+/3tpPJ+1Hve4IF+ nyEt0nXDVZQZ4bctIyHIgk8c8bHrnsP+xwSutn6z//y5GTwEklJ2QTuBXFRhp5npCs w/P2wZbLQkVNaA0qwbmwbbkbfwIExMUqOY3JfzYo=

Authentication-Results: mxback17g.mail.yandex.net; dkim=pass header.i=@yandex.ru

Date: Tue, 12 Mar 2019 23:33:40 +0300

From: Andrey Repin <anrdaemon AT yandex DOT ru>

Reply-To: cygwin AT cygwin DOT com

Message-ID: <1715197846.20190312233340@yandex.ru>

To: Lee <ler762 AT gmail DOT com>, cygwin AT cygwin DOT com

Subject: Re: SSL not required for setup.exe download

In-Reply-To: <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com>

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg AT mail DOT gmail DOT com>

MIME-Version: 1.0

X-IsSubscribed: yes

Greetings, Lee!

>> Which is way worse in my opinion, than any theoretical MITM attack, which
>> is easily mitigated with proper validation of your downloads.

> Serious question - exactly how does one do "proper validation of your
> downloads"?

Use PGP signature to validate the installer. Use separate channel to obtain
trust records for PGP key used in signing.

And not blindly trust "supposedly-secure" connections.


-- 
With best regards,
Andrey Repin
Tuesday, March 12, 2019 23:31:45

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=eUTg6g6mRYUrgepe
	whA2/XNNScAiFO15wfPJ7ZkAv6GoZtsEmC31XWJW+bQXB0Ii0u7ufvel14GSa2cm
	RlS1LhMbU21otMM6wrbh/AJVoIw9bKm/fkmZMqVF2uJSIIJm8etMMe5uVYKlqPLi
	IqMvFqyB22ocszCMrKoO4FJehV0=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=naeARgTfT2DtmpewM0RL6+
	VIEAk=; b=ny3c8zAhFJtUWfOcNfI520ZOwLcAmTwr/BLqETs12zAadDgmsf4j5u
	d0FWMc4wJ5ntSSEXwpQHkYcxj7IdxstmjWf8S1VC6aV1KMIYxR2aEX2mVJ8aB/2u
	LJx5qPXAxItj39WirAs1kBXtTLJvSGA5tWOJK7tyQXgPdL5tR19qo=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=UD:ru, terrible, HM:yandex, HRU:sk:forward
X-HELO:	forward100j.mail.yandex.net
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552422902; bh=TrXc0QYGJiB6NsjMT88VIqa/dMat9K0ANqMIiPtR/R0=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=lz0/rQc/B2JToBlpY8coQKrgwiZA/QqiX7ugIE7kCkEcc955I+/3tpPJ+1Hve4IF+ nyEt0nXDVZQZ4bctIyHIgk8c8bHrnsP+xwSutn6z//y5GTwEklJ2QTuBXFRhp5npCs w/P2wZbLQkVNaA0qwbmwbbkbfwIExMUqOY3JfzYo=
Authentication-Results:	mxback17g.mail.yandex.net; dkim=pass header.i=@yandex.ru
Date:	Tue, 12 Mar 2019 23:33:40 +0300
From:	Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To:	cygwin AT cygwin DOT com
Message-ID:	<1715197846.20190312233340@yandex.ru>
To:	Lee <ler762 AT gmail DOT com>, cygwin AT cygwin DOT com
Subject:	Re: SSL not required for setup.exe download
In-Reply-To:	<CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com>
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg AT mail DOT gmail DOT com>
MIME-Version:	1.0
X-IsSubscribed:	yes