X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; q=dns; s=default; b=a7U7YUs h4BIgoLuHwpKyW9BZ42j7UIy3Bauo/BbGmYYachbFLDPD3GhLCUafczlkgwi94aZ 6t5VF4GFKPqcrh9WnX/fWqL96trtrws4gY0Dr8xcGKv9C+RpoMJwrblJOQUDsfsd f2Z70pK5g1KD3neIIpgYKys9T99dvWpvHdHY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; s=default; bh=QUl8www3+skH8 n5LBIu/vJTjqqA=; b=qAn45zexS0zUqK3+nKNQabf8+U5kUgLMhdyUi0r6wf35V LtAr2sib4dJ9NUeGlP/EAYfuBvC+etYtg7MKN92CdUkMlpcDhJaR96hFhQKZXCVV tnNIb2PrCXHzRk13MQK7RLBhtTr4q8uJdLgT/riZu3d+MFQjtuWlSMEhUanR1s= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=H*r:a0c, attack, proper X-HELO: mail-qt1-f181.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=rDxla3SNrZeUlBaIsNlYSPBBKMA2IKuwiT69w/3PbU0=; b=IaTtbuMS6liqQvPntoJnF20sLYUxdJCoDjmeQdTrxq1uE9aMmr5CMWGza/JHplGltC 6YP4qC9285fKWIO7XKCiH1bKqeChisHRhwjvbie0a5B4pe0zn5iAcda3Ye0eEAQfmGbk 1du4jnlIm4617bvB7COPhCOfhb7kWaKs1rwb7aRb3vb5qiEKZNgFUb83lBS+zmGNC2zh j3cYrGRZXCpMJeDla73/gq4QlML8aLRbKWn9AbvwkD/+DWJlO0LGZ2w/vp/7ZXY5ySPh IzDapuMg7oeWWbhBnlt+xOlXCt3rFVZTIfkdVf9f4Oz8Q9UCZ4ElklNTFsSuNY8v+muu HC2w== MIME-Version: 1.0 In-Reply-To: <1715197846.20190312233340@yandex.ru> References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <1406950005.20190312031618@yandex.ru> <1715197846.20190312233340@yandex.ru> From: Lee Date: Tue, 12 Mar 2019 17:14:51 -0400 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes On 3/12/19, Andrey Repin wrote: > Greetings, Lee! > >>> Which is way worse in my opinion, than any theoretical MITM attack, >>> which >>> is easily mitigated with proper validation of your downloads. > >> Serious question - exactly how does one do "proper validation of your >> downloads"? > > Use PGP signature to validate the installer. Use separate channel to obtain > trust records for PGP key used in signing. Yes, in the ideal world. But at least in my experience, most windows software doesn't come with a pgp signature & using a separate channel to get the pgp key isn't so easy. Just out of curiosity.. has the cygwin public key been posted in multiple places or sent to the mailing list? Getting the exe, sig & key from https://cygwin.com/install.html seems not the best security. > And not blindly trust "supposedly-secure" connections. I don't. But I trust TLS connections a lot more than I trust clear-text connections. Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple