Mail Archives: cygwin/2019/03/12/17:35:35

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/12/17:35:35

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; q=dns; s=default; b=TFRE1QG5Pz8RsLyY

jNE01oIwIiIuwkWLd4TK6mpq+6ZoXEI0I53BRwHsMOqwxmLH82QmTzdql+VyYz5J

E/adqiWKEh1o4vBJNVkfv67UJSSGs3b9jL9DejeR301+IchBJ8aF+4jbSczQ8bAO

34SwY7Uwc5n4dQWVNxLkVip/3OY=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; s=default; bh=ZGcRhd8//UqZJhpDA1gWNc

REBmA=; b=N27/uZmsLUD0EX/rnY6setlVSa9Ldchkoa0AzHTvF/YfnhkeA2F8Ge

xXETHfU63uTpOmFTNmExvCyjbzD+d7CzUjSeu2kUThzqUzGfZoTb1Z1uHf6G+w5G

W8hvJhe8TQa6GvMK0idGMLFanTZUoZeBjQ8JDLzmNUsTlhPje+a+U=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=obtaining, UD:ru, HX-Languages-Length:978, terrible

X-HELO: forward100p.mail.yandex.net

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552426501; bh=onWb5JBjXqK257DI0eqID+uq8LnK9bTexrRgOJJ+yR4=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=heq/HngvDQPjHTn19ApEhkVTVnrA9Gn56oleg9XYZ0sDocZmcvkqENRy55a7c1Uts YA7IxloiZYNbfqeDbN93E+Ep2RRjbi+heyHATADFseUeHl2D75wv/lhIfQscVUlYmT oggvIvrlBdvdN98y5GUF57mY4xEa4QLJDi6s4Q+A=

Authentication-Results: mxback6j.mail.yandex.net; dkim=pass header.i=@yandex.ru

Date: Wed, 13 Mar 2019 00:34:20 +0300

From: Andrey Repin <anrdaemon AT yandex DOT ru>

Reply-To: cygwin AT cygwin DOT com

Message-ID: <3510142791.20190313003420@yandex.ru>

To: Lee <ler762 AT gmail DOT com>, cygwin AT cygwin DOT com

Subject: Re: SSL not required for setup.exe download

In-Reply-To: <CAD8GWstmfqEomcMJ4zu75LLGyy236bkp3EN_CxMewMkJX+e5OQ@mail.gmail.com>

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg AT mail DOT gmail DOT com> <1715197846 DOT 20190312233340 AT yandex DOT ru> <CAD8GWstmfqEomcMJ4zu75LLGyy236bkp3EN_CxMewMkJX+e5OQ AT mail DOT gmail DOT com>

MIME-Version: 1.0

X-IsSubscribed: yes

Greetings, Lee!

>> Greetings, Lee!
>>
>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>> which
>>>> is easily mitigated with proper validation of your downloads.
>>
>>> Serious question - exactly how does one do "proper validation of your
>>> downloads"?
>>
>> Use PGP signature to validate the installer. Use separate channel to obtain
>> trust records for PGP key used in signing.

> Yes, in the ideal world.  But at least in my experience, most windows
> software doesn't come with a pgp signature & using a separate channel
> to get the pgp key isn't so easy.

In my experience, this is a Cygwin mailing list and we're discussing issues
of obtaining and verifying the authenticity of setup.exe.

P.S.
In regard to Cygwin mailing list, please teach your mail agent to not quote
raw email addresses.


-- 
With best regards,
Andrey Repin
Wednesday, March 13, 2019 0:32:21

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=TFRE1QG5Pz8RsLyY
	jNE01oIwIiIuwkWLd4TK6mpq+6ZoXEI0I53BRwHsMOqwxmLH82QmTzdql+VyYz5J
	E/adqiWKEh1o4vBJNVkfv67UJSSGs3b9jL9DejeR301+IchBJ8aF+4jbSczQ8bAO
	34SwY7Uwc5n4dQWVNxLkVip/3OY=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=ZGcRhd8//UqZJhpDA1gWNc
	REBmA=; b=N27/uZmsLUD0EX/rnY6setlVSa9Ldchkoa0AzHTvF/YfnhkeA2F8Ge
	xXETHfU63uTpOmFTNmExvCyjbzD+d7CzUjSeu2kUThzqUzGfZoTb1Z1uHf6G+w5G
	W8hvJhe8TQa6GvMK0idGMLFanTZUoZeBjQ8JDLzmNUsTlhPje+a+U=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=obtaining, UD:ru, HX-Languages-Length:978, terrible
X-HELO:	forward100p.mail.yandex.net
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552426501; bh=onWb5JBjXqK257DI0eqID+uq8LnK9bTexrRgOJJ+yR4=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=heq/HngvDQPjHTn19ApEhkVTVnrA9Gn56oleg9XYZ0sDocZmcvkqENRy55a7c1Uts YA7IxloiZYNbfqeDbN93E+Ep2RRjbi+heyHATADFseUeHl2D75wv/lhIfQscVUlYmT oggvIvrlBdvdN98y5GUF57mY4xEa4QLJDi6s4Q+A=
Authentication-Results:	mxback6j.mail.yandex.net; dkim=pass header.i=@yandex.ru
Date:	Wed, 13 Mar 2019 00:34:20 +0300
From:	Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To:	cygwin AT cygwin DOT com
Message-ID:	<3510142791.20190313003420@yandex.ru>
To:	Lee <ler762 AT gmail DOT com>, cygwin AT cygwin DOT com
Subject:	Re: SSL not required for setup.exe download
In-Reply-To:	<CAD8GWstmfqEomcMJ4zu75LLGyy236bkp3EN_CxMewMkJX+e5OQ@mail.gmail.com>
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg AT mail DOT gmail DOT com> <1715197846 DOT 20190312233340 AT yandex DOT ru> <CAD8GWstmfqEomcMJ4zu75LLGyy236bkp3EN_CxMewMkJX+e5OQ AT mail DOT gmail DOT com>
MIME-Version:	1.0
X-IsSubscribed:	yes