X-Spam-Check-By: sourceware.org
Date: Fri, 11 May 2007 21:47:20 -0400
From: Christopher Faylor <cgf-use-the-mailinglist-please@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: MD5s of setup.exe on mirrors.
Message-ID: <20070512014720.GB30086@ednor.casa.cgf.cx>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <5qd5179mvu.fsf@hod.lan.m-e-leypold.de> <4644CB03.9070707@determina.com> <20070511202353.GA25421@trixie.casa.cgf.cx> <4644E349.7000604@determina.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4644E349.7000604@determina.com>
User-Agent: Mutt/1.5.14 (2007-02-12)
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie.com@cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

On Fri, May 11, 2007 at 02:42:33PM -0700, Alexander Sotirov wrote:
>Christopher Faylor wrote:
>>>Nobody seemed to care.  Considering the fact that MD5 collisions are
>>>now trivial to generate, it probably doesn't matter much anyways - the
>>>fact that your copy of setup.exe has the right MD5 doesn't mean that it
>>>hasn't been tampered with.
>>
>>We don't control the content of mirrors.
>>
>>If you think this is an issue, contact the mirror(s) in question.
>
>This is an issue with the Cygwin website, not the mirrors.

That is your opinion.

>There is a chain of trust from http://cygwin.com to the mirrors.  Since
>the official Cygwin site list these mirrors at
>http://cygwin.com/mirrors.html, you're endorsing them as an officially
>approved locations to download Cygwin.  This means that you have to
>monitor reports about misbehaving mirrors and remove ones that
>distribute corrupted or possibly malicious binaries under the Cygwin
>name.

If/when we find a mirror distributing a malicious binary we will remove
it.

However, in the meantime, I would suggest that people only use the
setup.exe that is distributed from cygwin.com, i.e., click on the
"Install Cygwin Now" link.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/