Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <39669463.A390765@ece.gatech.edu>
Date: Fri, 07 Jul 2000 22:39:31 -0400
From: Charles Wilson <cwilson AT ece DOT gatech DOT edu>
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Dave Arnold <avr_fan AT mailandnews DOT com>
CC: cygwin AT sourceware DOT cygnus DOT com
Subject: Re: missing tsort in textutils.tar.gz
References: <00c801bfe882$fea6ccc0$c0bf1004 AT homepc DOT freedsl DOT com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


> What about some of the sites like http://cygutils.netpedia.net/ etc? are
> they trusted/certified too?
> 

Trusted by whom? How *much* trust?

I maintain the cygutils site; everything on that site was built by me
personally. However, my machine could be infected, or the netpedia host
could get hacked, or someone could man-in-the-middle as I'm uploading a
new tarball. Or man-in-the-middle you as you're downloading it. There's
*ALWAYS* a risk when you download stuff from the internet. For that
matter, you don't know me from Adam; perhaps I'm a black hat. I say that
I am not, but why believe me?

As DJ said, sites (and people) *earn* trust. Reputation and past history
count for far more than other, more technological means of validation
and authentication. I *could* get a PGP key, get it certified into a
web-of-trust, sign the packages, etc, etc. I've decided instead to
provide checksums for the packages themselves using md5sum -- but that
only protects you against corrupted downloads. Besides, PGP keys &
webs-of-trust only indicate that someone *else* that you don't know
verified that I am who I say I am, and that a third person you don't
know verified them, etc. etc. 

You just have to trust me (and netpedia, and their security, and my
personal virus precautions) that the tarballs themselves don't contain
(trojans | virii | worms).

You don't have to trust me, or any other site. Just download from
somewhere else. Again, you don't know me or the proprietor of any
specific site. For my part, I won't be offended if you choose to go
elsewhere. :-)

--Chuck

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com