X-Spam-Check-By: sourceware.org Message-ID: <4644E349.7000604@determina.com> Date: Fri, 11 May 2007 14:42:33 -0700 From: Alexander Sotirov User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: MD5s of setup.exe on mirrors. References: <5qd5179mvu DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <4644CB03 DOT 9070707 AT determina DOT com> <20070511202353 DOT GA25421 AT trixie DOT casa DOT cgf DOT cx> In-Reply-To: <20070511202353.GA25421@trixie.casa.cgf.cx> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Christopher Faylor wrote: >> Nobody seemed to care. Considering the fact that MD5 collisions are now trivial >> to generate, it probably doesn't matter much anyways - the fact that your copy >> of setup.exe has the right MD5 doesn't mean that it hasn't been tampered with. > > We don't control the content of mirrors. > > If you think this is an issue, contact the mirror(s) in question. This is an issue with the Cygwin website, not the mirrors. There is a chain of trust from http://cygwin.com to the mirrors. Since the official Cygwin site list these mirrors at http://cygwin.com/mirrors.html, you're endorsing them as an officially approved locations to download Cygwin. This means that you have to monitor reports about misbehaving mirrors and remove ones that distribute corrupted or possibly malicious binaries under the Cygwin name. Alex -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/