X-Spam-Check-By: sourceware.org
Message-ID: <4648B71D.4000804@determina.com>
Date: Mon, 14 May 2007 12:23:09 -0700
From: Alexander Sotirov <asotirov AT determina DOT com>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: MD5s of setup.exe on mirrors.
References: <5qd5179mvu DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <4644CB03 DOT 9070707 AT determina DOT com> <o7d5164e3s DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <063001c7947a$3312cea0$2e08a8c0 AT CAM DOT ARTIMI DOT COM> <lblkfu5olv DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <46461FA2 DOT E6EFA773 AT dessent DOT net> <i646w3lyh DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <20070513161110 DOT GA5651 AT ednor DOT casa DOT cgf DOT cx> <46489A67 DOT 7090503 AT determina DOT com> <4648A523 DOT 1010705 AT cygwin DOT com> <20070514182135 DOT GA6692 AT trixie DOT casa DOT cgf DOT cx>
In-Reply-To: <20070514182135.GA6692@trixie.casa.cgf.cx>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Christopher Faylor wrote:
> That + if you want to talk about trust then you should trust the method
> that we advertise for installing cygwin which is to click on the
> "Install Cygwin Now!" link.

Are you saying that I should trust setup.exe downloaded from cygwin.com more
than setup.exe downloaded from a mirror? That doesn't make sense.

Even if I download setup.exe from cygwin.com, it still fetches the package data
from a mirror. As far as I know the package data is not signed, so setup.exe
cannot verify that is has not been tampered with. If a mirror has a modified
bash package with a malicious binary in it, the result will be no different than
running an untrusted setup.exe.

In fact, the mirror list used by setup.exe does not contain the official
ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors.

Alex

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/