Mail Archives: cygwin/2019/03/12/17:15:05

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/12/17:15:05

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=a7U7YUs

h4BIgoLuHwpKyW9BZ42j7UIy3Bauo/BbGmYYachbFLDPD3GhLCUafczlkgwi94aZ

6t5VF4GFKPqcrh9WnX/fWqL96trtrws4gY0Dr8xcGKv9C+RpoMJwrblJOQUDsfsd

f2Z70pK5g1KD3neIIpgYKys9T99dvWpvHdHY=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type; s=default; bh=QUl8www3+skH8

n5LBIu/vJTjqqA=; b=qAn45zexS0zUqK3+nKNQabf8+U5kUgLMhdyUi0r6wf35V

LtAr2sib4dJ9NUeGlP/EAYfuBvC+etYtg7MKN92CdUkMlpcDhJaR96hFhQKZXCVV

tnNIb2PrCXHzRk13MQK7RLBhtTr4q8uJdLgT/riZu3d+MFQjtuWlSMEhUanR1s=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=H*r:a0c, attack, proper

X-HELO: mail-qt1-f181.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=rDxla3SNrZeUlBaIsNlYSPBBKMA2IKuwiT69w/3PbU0=; b=IaTtbuMS6liqQvPntoJnF20sLYUxdJCoDjmeQdTrxq1uE9aMmr5CMWGza/JHplGltC 6YP4qC9285fKWIO7XKCiH1bKqeChisHRhwjvbie0a5B4pe0zn5iAcda3Ye0eEAQfmGbk 1du4jnlIm4617bvB7COPhCOfhb7kWaKs1rwb7aRb3vb5qiEKZNgFUb83lBS+zmGNC2zh j3cYrGRZXCpMJeDla73/gq4QlML8aLRbKWn9AbvwkD/+DWJlO0LGZ2w/vp/7ZXY5ySPh IzDapuMg7oeWWbhBnlt+xOlXCt3rFVZTIfkdVf9f4Oz8Q9UCZ4ElklNTFsSuNY8v+muu HC2w==

MIME-Version: 1.0

In-Reply-To: <1715197846.20190312233340@yandex.ru>

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg AT mail DOT gmail DOT com> <1715197846 DOT 20190312233340 AT yandex DOT ru>

From: Lee <ler762 AT gmail DOT com>

Date: Tue, 12 Mar 2019 17:14:51 -0400

Message-ID: <CAD8GWstmfqEomcMJ4zu75LLGyy236bkp3EN_CxMewMkJX+e5OQ@mail.gmail.com>

Subject: Re: SSL not required for setup.exe download

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

On 3/12/19, Andrey Repin <anrdaemon AT yandex DOT ru> wrote:
> Greetings, Lee!
>
>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>> which
>>> is easily mitigated with proper validation of your downloads.
>
>> Serious question - exactly how does one do "proper validation of your
>> downloads"?
>
> Use PGP signature to validate the installer. Use separate channel to obtain
> trust records for PGP key used in signing.

Yes, in the ideal world.  But at least in my experience, most windows
software doesn't come with a pgp signature & using a separate channel
to get the pgp key isn't so easy.

Just out of curiosity.. has the cygwin public key been posted in
multiple places or sent to the mailing list?  Getting the exe, sig &
key from https://cygwin.com/install.html seems not the best security.

> And not blindly trust "supposedly-secure" connections.

I don't.  But I trust TLS connections a lot more than I trust
clear-text connections.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=a7U7YUs
	h4BIgoLuHwpKyW9BZ42j7UIy3Bauo/BbGmYYachbFLDPD3GhLCUafczlkgwi94aZ
	6t5VF4GFKPqcrh9WnX/fWqL96trtrws4gY0Dr8xcGKv9C+RpoMJwrblJOQUDsfsd
	f2Z70pK5g1KD3neIIpgYKys9T99dvWpvHdHY=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; s=default; bh=QUl8www3+skH8
	n5LBIu/vJTjqqA=; b=qAn45zexS0zUqK3+nKNQabf8+U5kUgLMhdyUi0r6wf35V
	LtAr2sib4dJ9NUeGlP/EAYfuBvC+etYtg7MKN92CdUkMlpcDhJaR96hFhQKZXCVV
	tnNIb2PrCXHzRk13MQK7RLBhtTr4q8uJdLgT/riZu3d+MFQjtuWlSMEhUanR1s=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=H*r:a0c, attack, proper
X-HELO:	mail-qt1-f181.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=rDxla3SNrZeUlBaIsNlYSPBBKMA2IKuwiT69w/3PbU0=; b=IaTtbuMS6liqQvPntoJnF20sLYUxdJCoDjmeQdTrxq1uE9aMmr5CMWGza/JHplGltC 6YP4qC9285fKWIO7XKCiH1bKqeChisHRhwjvbie0a5B4pe0zn5iAcda3Ye0eEAQfmGbk 1du4jnlIm4617bvB7COPhCOfhb7kWaKs1rwb7aRb3vb5qiEKZNgFUb83lBS+zmGNC2zh j3cYrGRZXCpMJeDla73/gq4QlML8aLRbKWn9AbvwkD/+DWJlO0LGZ2w/vp/7ZXY5ySPh IzDapuMg7oeWWbhBnlt+xOlXCt3rFVZTIfkdVf9f4Oz8Q9UCZ4ElklNTFsSuNY8v+muu HC2w==
MIME-Version:	1.0
In-Reply-To:	<1715197846.20190312233340@yandex.ru>
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg AT mail DOT gmail DOT com> <1715197846 DOT 20190312233340 AT yandex DOT ru>
From:	Lee <ler762 AT gmail DOT com>
Date:	Tue, 12 Mar 2019 17:14:51 -0400
Message-ID:	<CAD8GWstmfqEomcMJ4zu75LLGyy236bkp3EN_CxMewMkJX+e5OQ@mail.gmail.com>
Subject:	Re: SSL not required for setup.exe download
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes