Date: Wed, 26 Sep 2012 10:24:42 -0400
From: Christopher Faylor <cgf-use-the-mailinglist-please@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: include SHA1/MD5 hash/digest of setup.exe, and use HTTPS
Message-ID: <20120926142442.GB24866@ednor.casa.cgf.cx>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <50629F1D.7070406@yahoo.com> <50630661.5020307@cs.utoronto.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <50630661.5020307@cs.utoronto.ca>
User-Agent: Mutt/1.5.20 (2009-06-14)
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com

On Wed, Sep 26, 2012 at 09:42:57AM -0400, Ryan Johnson wrote:
>tl;dr: publishing a checksum for setup.exe is a good idea, https makes 
>little or no sense in this setting, and cryptographic signatures for 
>packages would be nice to have but would burden volunteers while 
>providing incomplete protection.
>
>(response follows)
>
>On 26/09/2012 2:22 AM, Bry8 Star wrote:
>> Please include SHA1/MD5 hash/digest code of "setup.exe" file, on webpage
>> next to "setup.exe" download url-link.
>Providing a digest for setup.exe is probably a good idea, and probably 
>not too hard.

And, it's already done.  See:  http://cygwin.com/install.html .

FWIW, I'm not personally interested in going through the effort of
setting up https access for sourceware.  And, I'm personally even less
interested in changing setup.exe to use https.

As Ryan noted, we don't control the cygwin mirrors so this would likely
be a pointless exercise anyway.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple