X-Spam-Check-By: sourceware.org
To: cygwin@cygwin.com
Subject: Re: MD5s of setup.exe on mirrors.
References: <5qd5179mvu.fsf@hod.lan.m-e-leypold.de> 	<4644CB03.9070707@determina.com> 	<o7d5164e3s.fsf@hod.lan.m-e-leypold.de> 	<063001c7947a$3312cea0$2e08a8c0@CAM.ARTIMI.COM> 	<lblkfu5olv.fsf@hod.lan.m-e-leypold.de> 	<46461FA2.E6EFA773@dessent.net> <i646w3lyh.fsf@hod.lan.m-e-leypold.de> 	<20070513161110.GA5651@ednor.casa.cgf.cx> 	<46489A67.7090503@determina.com> <4648A523.1010705@cygwin.com> 	<20070514182135.GA6692@trixie.casa.cgf.cx> 	<4648B71D.4000804@determina.com> <4648BD78.7090908@cygwin.com>
From: "Markus E.L." <ls-cygwin-2006@m-e-leypold.de>
Date: Mon, 14 May 2007 22:17:31 +0200
In-Reply-To: <4648BD78.7090908@cygwin.com> (Larry Hall's message of "Mon, 14  May 2007 15:50:16 -0400")
Message-ID: <bliravgnxg.fsf@hod.lan.m-e-leypold.de>
User-Agent: Some cool user agent (SCUG)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-IsSubscribed: yes
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie.com@cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com


"LarryHall(Cygwin)" writes:

> Alexander Sotirov wrote:
>> Christopher Faylor wrote:
>>> That + if you want to talk about trust then you should trust the method
>>> that we advertise for installing cygwin which is to click on the
>>> "Install Cygwin Now!" link.
>> 
>> Are you saying that I should trust setup.exe downloaded from cygwin.com more
>> than setup.exe downloaded from a mirror? That doesn't make sense.
>> 
>> Even if I download setup.exe from cygwin.com, it still fetches the package data
>> from a mirror. As far as I know the package data is not signed, so setup.exe
>> cannot verify that is has not been tampered with. If a mirror has a modified
>> bash package with a malicious binary in it, the result will be no different than
>> running an untrusted setup.exe.
>> 
>> In fact, the mirror list used by setup.exe does not contain the official
>> ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors.
>
> Do you actually have a question or do you just want to speak your piece?

He probably forgot that the list is for questions only.

> Seems to me that you're asking questions but then not really paying
> attention to the answers, even when they come from a project leader.
> Perhaps you want to come at this again and clarify whether you're looking
> for information or just want to make a statement.

<Shaking my head>. 

Regards -- Markus

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/