delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2019/04/26/12:28:38

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:mime-version:from:date:message-id:subject:to
:content-type; q=dns; s=default; b=xmpuhXZYllfWezMQ7Sw62jJqzS+sA
pLyLgkAclH87m76y8fj/O7AQ2niBgw3eNl69W8xMVujL7FXUlxJiabqgs5R9CThm
dCxqN1TZ+GJ01uaCQb/j2vWm/oo1EKxCzg1RDFXh+nNcS9AZoBNzW+bjz5apMsxK
Cq0fIhLiC5Ykng=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:mime-version:from:date:message-id:subject:to
:content-type; s=default; bh=zx6HEbMlB8eTDURKR9YlGbK4Q20=; b=ILC
RR/zC3Be9vUbKvxeYh1UGLDMEl8dGNhPZTwx9PL2X0UOoO5I4XxIrjInX9wpT4Dq
BMvShoYcpRUqVJ+DkbYJCfhwmkgfhuRrk2+G3F/i9y/D1fAOK1MbBUHiy154NZf8
+l9rHwpCyQRu/BYPDaXsk5L23k58ZKhfO2r1LiBc=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=zip, HX-Languages-Length:1196, compression, sk:bootstr
X-HELO: mail-wm1-f42.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=8xyzfR0qI1NzJiR41rXYeu0zjl+SISguGGpDDhq6siQ=; b=oTwhKeNpyrFlqwrkjzf0LnyESYiCoM1MYtl994OctXm6GQfZNmOXFo70FiSAmQf/ct er1JtM9ePJvO6zjG2kyiFriK+tKq4AT13lbXs9h1Bh4M7p2wgbPa5vBQi+sjj3TrPFFz sZofVmRgyApZs3mGeLY29mjwDd6b9Dve/K707h+pYilCzIoLa3zhbfy2itX+Qjktz6He oiCpLLEMKnvQn4o51dRqqjaG1oweChfaBc4n95ZK99gffjWtCn7bvHsQr8hbB6gL2wKO MjXC8zAOGeASh+xak4kzHVoPYJIsj+e6O0R1VduzkkNq+N2JIj+GslCZqq2EDlBQPl0G 8fJg==
MIME-Version: 1.0
From: Joel Rees <joel DOT rees AT gmail DOT com>
Date: Sat, 27 Apr 2019 01:28:14 +0900
Message-ID: <CAAr43iMirXR-r=Jmy1S0za8Pz-yS-beOGouydkrScHKETEmiZg@mail.gmail.com>
Subject: How to trust setup.exe?
To: cygwin AT cygwin DOT com
X-IsSubscribed: yes 

When bootstrapping a chain of trust, having multiple sources for the
checksum values is significantly better than starting blind.

I'm writing a blogpost on the use of multiple sources, using cygwin as
an example, but the announcements for the updates of setup_xx.exe do
not include the checksums. And the mirrors don't seem to keep
setup_xx.exe. And the mirrors are all using .bz and .xz compression,
which many MSWindowsboxes are not able to open without 3rd party help,
which is a vicious cycle.

The blogpost:
https://joels-programming-fun.blogspot.com/2019/04/bootstrapping-your-freedom-cygwin-gpg.html

Would it be impossible to ask someone in the project to put the
checksums in the announcements for setup?

And what about putting a regular zip compressed setup on the mirrors,
so we can run certutil to check the checksum of the setup we run when
we grab our first download, then grab gpg with a somewhat trusted
system to use when checking the next version of setup that we
download?

It would not be a perfect chain, but without that we have nothing but
broken links and reverse implications

-- 
Joel Rees

http://reiisi.blogspot.jp/p/novels-i-am-writing.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019