Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin AT sources DOT redhat DOT com Message-ID: <39669463.A390765@ece.gatech.edu> Date: Fri, 07 Jul 2000 22:39:31 -0400 From: Charles Wilson X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Dave Arnold CC: cygwin AT sourceware DOT cygnus DOT com Subject: Re: missing tsort in textutils.tar.gz References: <00c801bfe882$fea6ccc0$c0bf1004 AT homepc DOT freedsl DOT com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > What about some of the sites like http://cygutils.netpedia.net/ etc? are > they trusted/certified too? > Trusted by whom? How *much* trust? I maintain the cygutils site; everything on that site was built by me personally. However, my machine could be infected, or the netpedia host could get hacked, or someone could man-in-the-middle as I'm uploading a new tarball. Or man-in-the-middle you as you're downloading it. There's *ALWAYS* a risk when you download stuff from the internet. For that matter, you don't know me from Adam; perhaps I'm a black hat. I say that I am not, but why believe me? As DJ said, sites (and people) *earn* trust. Reputation and past history count for far more than other, more technological means of validation and authentication. I *could* get a PGP key, get it certified into a web-of-trust, sign the packages, etc, etc. I've decided instead to provide checksums for the packages themselves using md5sum -- but that only protects you against corrupted downloads. Besides, PGP keys & webs-of-trust only indicate that someone *else* that you don't know verified that I am who I say I am, and that a third person you don't know verified them, etc. etc. You just have to trust me (and netpedia, and their security, and my personal virus precautions) that the tarballs themselves don't contain (trojans | virii | worms). You don't have to trust me, or any other site. Just download from somewhere else. Again, you don't know me or the proprietor of any specific site. For my part, I won't be offended if you choose to go elsewhere. :-) --Chuck -- Want to unsubscribe from this list? Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com