X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=TFRE1QG5Pz8RsLyY jNE01oIwIiIuwkWLd4TK6mpq+6ZoXEI0I53BRwHsMOqwxmLH82QmTzdql+VyYz5J E/adqiWKEh1o4vBJNVkfv67UJSSGs3b9jL9DejeR301+IchBJ8aF+4jbSczQ8bAO 34SwY7Uwc5n4dQWVNxLkVip/3OY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=ZGcRhd8//UqZJhpDA1gWNc REBmA=; b=N27/uZmsLUD0EX/rnY6setlVSa9Ldchkoa0AzHTvF/YfnhkeA2F8Ge xXETHfU63uTpOmFTNmExvCyjbzD+d7CzUjSeu2kUThzqUzGfZoTb1Z1uHf6G+w5G W8hvJhe8TQa6GvMK0idGMLFanTZUoZeBjQ8JDLzmNUsTlhPje+a+U= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=obtaining, UD:ru, HX-Languages-Length:978, terrible X-HELO: forward100p.mail.yandex.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552426501; bh=onWb5JBjXqK257DI0eqID+uq8LnK9bTexrRgOJJ+yR4=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=heq/HngvDQPjHTn19ApEhkVTVnrA9Gn56oleg9XYZ0sDocZmcvkqENRy55a7c1Uts YA7IxloiZYNbfqeDbN93E+Ep2RRjbi+heyHATADFseUeHl2D75wv/lhIfQscVUlYmT oggvIvrlBdvdN98y5GUF57mY4xEa4QLJDi6s4Q+A= Authentication-Results: mxback6j.mail.yandex.net; dkim=pass header.i=@yandex.ru Date: Wed, 13 Mar 2019 00:34:20 +0300 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <3510142791.20190313003420@yandex.ru> To: Lee , cygwin@cygwin.com Subject: Re: SSL not required for setup.exe download In-Reply-To: References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <1406950005.20190312031618@yandex.ru> <1715197846.20190312233340@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, Lee! >> Greetings, Lee! >> >>>> Which is way worse in my opinion, than any theoretical MITM attack, >>>> which >>>> is easily mitigated with proper validation of your downloads. >> >>> Serious question - exactly how does one do "proper validation of your >>> downloads"? >> >> Use PGP signature to validate the installer. Use separate channel to obtain >> trust records for PGP key used in signing. > Yes, in the ideal world. But at least in my experience, most windows > software doesn't come with a pgp signature & using a separate channel > to get the pgp key isn't so easy. In my experience, this is a Cygwin mailing list and we're discussing issues of obtaining and verifying the authenticity of setup.exe. P.S. In regard to Cygwin mailing list, please teach your mail agent to not quote raw email addresses. -- With best regards, Andrey Repin Wednesday, March 13, 2019 0:32:21 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple