X-Recipient: archive-cygwin@delorie.com
X-SWARE-Spam-Status: No, hits=-1.8 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <4B9EEC2D.9020602@monai.ca>
References: <1268526388.20918.ezmlm@cygwin.com> 	 <Pine.LNX.4.58.1003141111350.14642@mail3.jubileegroup.co.uk> 	 <20100314163002.GA12172@ednor.casa.cgf.cx> 	 <03988E63C1BD48809EA3A27E4D6A3661@phoenix> <4B9D1B9C.6000302@monai.ca> 	 <20100314190223.GD13515@ednor.casa.cgf.cx> <4B9EEC2D.9020602@monai.ca>
Date: Tue, 16 Mar 2010 10:53:17 +0100
Message-ID: <1ef5a52f1003160253g55aa7bf7l79bda3768f50c969@mail.gmail.com>
Subject: Re: incomplete/corrupted setup.exe
From: Csaba Raduly <rcsaba@gmail.com>
To: cygwin@cygwin.com
Content-Type: text/plain; charset=ISO-8859-1
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie.com@cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

On Tue, Mar 16, 2010 at 3:25 AM, Steven Monai wrote:
[snip]
> IT departments are becoming increasingly security conscious. That's
> probably why the OP had trouble downloading setup.exe. It wasn't because
> his IT was "brain-dead", but because there are legitimate security
> concerns about downloading an unsigned exe over a non-SSL-authenticated
> channel.

Unfortunately, many IT departments follow the "We must do something.
This is something. Therefore we must do this." action plan :/
Installing a webfilter falls into this category, IMO.

> I suggest people inform themselves about the current state of art in
> "man-in-the-middle" hijacking attacks, because the means by which
> cygwin.com currently distributes setup.exe is vulnerable to a MITM
> surreptitiously delivering a trojan setup.exe in place of the actual.
> For this reason, I caution Cygwin users against downloading setup.exe
> over unsafe networks (e.g. public wireless hotspots, hotel networks, etc.).

Or the Internet, in general :)

Perhaps the MD5 and/or SHA1 checksums for the current setup.exe should
be published (and updated every time there's a new release) next to
the download link (like Apache does, for example)

-- 
Life is complex, with real and imaginary parts

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple