X-Spam-Check-By: sourceware.org
Date: Mon, 14 May 2007 15:52:53 -0400
From: Christopher Faylor <cgf-use-the-mailinglist-please@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: MD5s of setup.exe on mirrors.
Message-ID: <20070514195253.GC5651@ednor.casa.cgf.cx>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <063001c7947a$3312cea0$2e08a8c0@CAM.ARTIMI.COM> <lblkfu5olv.fsf@hod.lan.m-e-leypold.de> <46461FA2.E6EFA773@dessent.net> <i646w3lyh.fsf@hod.lan.m-e-leypold.de> <20070513161110.GA5651@ednor.casa.cgf.cx> <46489A67.7090503@determina.com> <4648A523.1010705@cygwin.com> <20070514182135.GA6692@trixie.casa.cgf.cx> <4648B71D.4000804@determina.com> <4648BD78.7090908@cygwin.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4648BD78.7090908@cygwin.com>
User-Agent: Mutt/1.5.14 (2007-02-12)
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie.com@cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

On Mon, May 14, 2007 at 03:50:16PM -0400, Larry Hall (Cygwin) wrote:
>Alexander Sotirov wrote:
>> Christopher Faylor wrote:
>>>That + if you want to talk about trust then you should trust the method
>>>that we advertise for installing cygwin which is to click on the
>>>"Install Cygwin Now!" link.
>>
>>Are you saying that I should trust setup.exe downloaded from cygwin.com
>>more than setup.exe downloaded from a mirror?  That doesn't make sense.
>>
>>Even if I download setup.exe from cygwin.com, it still fetches the
>>package data from a mirror.  As far as I know the package data is not
>>signed, so setup.exe cannot verify that is has not been tampered with.
>>If a mirror has a modified bash package with a malicious binary in it,
>>the result will be no different than running an untrusted setup.exe.
>>
>>In fact, the mirror list used by setup.exe does not contain the
>>official ftp.cygwin.com site, giving users no choice but to use (and
>>trust) mirrors.
>
>Do you actually have a question or do you just want to speak your
>piece?  Seems to me that you're asking questions but then not really
>paying attention to the answers, even when they come from a project
>leader.  Perhaps you want to come at this again and clarify whether
>you're looking for information or just want to make a statement.

No, please.  Can't we just drop this?  This is obviously just one of
those pointless cyclic usenet discussions which doesn't go anywhere.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/