X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; q=dns; s=default; b=VR5QRFE OE6Tc8iqMPatk2X3/SzCbOpDBbZG5VoZbuwGTU6/2GfKfCU/zMxE91CIs3bZUFcy jwE1AbskQjWZmNkRUntFwIcnYnE+iKXYf2neWb839+B1L6LV+S6xzTUgI0Ga8ngK WtvmzLULQ66Hvb5ZYcBdAIlx2/p0VqSX0G20= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; s=default; bh=ogK/iUO38OPIV 6Y63ZiIDlnkFy0=; b=xjBDGgeiqdzkNkWtmHAaejNrdGJOiJOtX1hKCeDQ/kmmP Pe0SJ173uwJzfRh3IQGu9Qq90S2uCnORePgbAK1UBLYP0iRf34G5UngSWBUDHDYZ fQsMOUtx3ZSaNatKnZFx1C9utI9VkPDwgZKez3qxf6T/7jj08IMua06c3cCFfA= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=obtaining, HX-Received:538b, HX-Google-DKIM-Signature:FDF, H*r:a0c X-HELO: mail-qt1-f182.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=uU+RUuTeKgt4NHVozsOlRAkK8qIgrayv5H9odU+85Xw=; b=a8D+zQ0MpfBomc2gFmWsIUVhsTx2jaR3uRRppYVDjQoAr15ozORIwlBQ7zeA49tlGi 8Y7lhBJJdiLLNHIbTksSaxfDOawSjS3ZL1dv5rpH2Pke/mT5SoEaOSz8KN/PEtWHBAhG 5PC8kOyh2tKt+j2jLk5cI+gZlv+EdQ+rFP9ZNukS+mSS6YaYRObrx8QfWXjMqTInUv18 /cZbP2T35f8JhtjQBZVWvC/3pFYZMYgA8cYoBF74ZFACfXF/O8yBTLEuOjsCZhUsnfge 41RfLJgX033qJycTprDLw3k4J7ZdlhGZkWsgCkDNsUUGtRxjFRkw9uh7+tSolgVUvmaa YToQ== MIME-Version: 1.0 In-Reply-To: <3510142791.20190313003420@yandex.ru> References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <1406950005.20190312031618@yandex.ru> <1715197846.20190312233340@yandex.ru> <3510142791.20190313003420@yandex.ru> From: Lee Date: Tue, 12 Mar 2019 18:01:25 -0400 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes On 3/12/19, Andrey Repin wrote: > Greetings, Lee! > >>>>> Which is way worse in my opinion, than any theoretical MITM attack, >>>>> which >>>>> is easily mitigated with proper validation of your downloads. >>> >>>> Serious question - exactly how does one do "proper validation of your >>>> downloads"? >>> >>> Use PGP signature to validate the installer. Use separate channel to >>> obtain >>> trust records for PGP key used in signing. > >> Yes, in the ideal world. But at least in my experience, most windows >> software doesn't come with a pgp signature & using a separate channel >> to get the pgp key isn't so easy. > > In my experience, this is a Cygwin mailing list and we're discussing issues > of obtaining and verifying the authenticity of setup.exe. But you made proper validation sound so easy and so general :) But ok, we'll limit it to just the cygwin setup.exe. What separate channel is available for finding the cygwin signing key? My recollection is that I gave up looking & used the link on the install page to get the public key. > P.S. > In regard to Cygwin mailing list, please teach your mail agent to not quote > raw email addresses. Sorry about that Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple