X-Spam-Check-By: sourceware.org Message-ID: <4648B71D.4000804@determina.com> Date: Mon, 14 May 2007 12:23:09 -0700 From: Alexander Sotirov User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: MD5s of setup.exe on mirrors. References: <5qd5179mvu.fsf@hod.lan.m-e-leypold.de> <4644CB03.9070707@determina.com> <063001c7947a$3312cea0$2e08a8c0@CAM.ARTIMI.COM> <46461FA2.E6EFA773@dessent.net> <20070513161110.GA5651@ednor.casa.cgf.cx> <46489A67.7090503@determina.com> <4648A523.1010705@cygwin.com> <20070514182135.GA6692@trixie.casa.cgf.cx> In-Reply-To: <20070514182135.GA6692@trixie.casa.cgf.cx> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Christopher Faylor wrote: > That + if you want to talk about trust then you should trust the method > that we advertise for installing cygwin which is to click on the > "Install Cygwin Now!" link. Are you saying that I should trust setup.exe downloaded from cygwin.com more than setup.exe downloaded from a mirror? That doesn't make sense. Even if I download setup.exe from cygwin.com, it still fetches the package data from a mirror. As far as I know the package data is not signed, so setup.exe cannot verify that is has not been tampered with. If a mirror has a modified bash package with a malicious binary in it, the result will be no different than running an untrusted setup.exe. In fact, the mirror list used by setup.exe does not contain the official ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors. Alex -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/