X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
Subject: Re: MD5s of setup.exe on mirrors.
References: <5qd5179mvu DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> 	<4644CB03 DOT 9070707 AT determina DOT com> 	<20070511202353 DOT GA25421 AT trixie DOT casa DOT cgf DOT cx>
From: ls-cygwin-2006 AT m-e-leypold DOT de
Date: Fri, 11 May 2007 22:46:05 +0200
In-Reply-To: <20070511202353.GA25421@trixie.casa.cgf.cx> (Christopher  Faylor's message of "Fri, 11 May 2007 16:23:53 -0400")
Message-ID: <mgodkr84xe.fsf@hod.lan.m-e-leypold.de>
User-Agent: Some cool user agent (SCUG)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com


> On Fri, May 11, 2007 at 12:58:59PM -0700, Alexander Sotirov wrote:
>>ls-cygwin-2006 AT m-e-leypold DOT de wrote:
>>> Cygwin mirrors have in their toplevel a setup.exe and an md5.sum. The
>>> m5sum is
>>> 
>>>   ae1944f528338033bab3b4710d5bd736  setup.bz2
>>>   b31ddcef84f25919a5d3184167b4a90d  setup.exe
>>>   0503889504b7ff0b23e65586a522b3ad  setup.ini
>>> 
>>> whereas the setup.exe has actually the md5sum:
>>> 
>>>   fbc848393ed05ef4f51a253f75bcafeb
>>> 
>>> I checked that for ftp://mirror.switch.ch/mirror/cygwin/setup.exe and
>>> ftp://ftp.mirror.ac.uk/sites/sources.redhat.com/ftp/cygwin/setup.exe
>>> and some others.
>>
>>I reported this in January: http://cygwin.com/ml/cygwin/2007-02/msg00006.html
>>
>>Nobody seemed to care. Considering the fact that MD5 collisions are now trivial
>>to generate, it probably doesn't matter much anyways - the fact that your copy
>>of setup.exe has the right MD5 doesn't mean that it hasn't been tampered with.
>
> We don't control the content of mirrors.
>
> If you think this is an issue, contact the mirror(s) in question.
>
> cgf

I've only checked some mirrors. Since all have those same setup.exe,
my idea was, that it would be the original (do I even have access to
that -- I think I'm supposed not to dowloed from there?) server which
is also carrying this other executable.

Therefore my advice to check there (and I trust you're controlling the
master server?), but of course I might be totally confused and
mistaking all and everything.

Regards -- Markus

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/