X-Spam-Check-By: sourceware.org
Date: Mon, 14 May 2007 15:52:53 -0400
From: Christopher Faylor <cgf-use-the-mailinglist-please AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: MD5s of setup.exe on mirrors.
Message-ID: <20070514195253.GC5651@ednor.casa.cgf.cx>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <063001c7947a$3312cea0$2e08a8c0 AT CAM DOT ARTIMI DOT COM> <lblkfu5olv DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <46461FA2 DOT E6EFA773 AT dessent DOT net> <i646w3lyh DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <20070513161110 DOT GA5651 AT ednor DOT casa DOT cgf DOT cx> <46489A67 DOT 7090503 AT determina DOT com> <4648A523 DOT 1010705 AT cygwin DOT com> <20070514182135 DOT GA6692 AT trixie DOT casa DOT cgf DOT cx> <4648B71D DOT 4000804 AT determina DOT com> <4648BD78 DOT 7090908 AT cygwin DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4648BD78.7090908@cygwin.com>
User-Agent: Mutt/1.5.14 (2007-02-12)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Mon, May 14, 2007 at 03:50:16PM -0400, Larry Hall (Cygwin) wrote:
>Alexander Sotirov wrote:
>> Christopher Faylor wrote:
>>>That + if you want to talk about trust then you should trust the method
>>>that we advertise for installing cygwin which is to click on the
>>>"Install Cygwin Now!" link.
>>
>>Are you saying that I should trust setup.exe downloaded from cygwin.com
>>more than setup.exe downloaded from a mirror?  That doesn't make sense.
>>
>>Even if I download setup.exe from cygwin.com, it still fetches the
>>package data from a mirror.  As far as I know the package data is not
>>signed, so setup.exe cannot verify that is has not been tampered with.
>>If a mirror has a modified bash package with a malicious binary in it,
>>the result will be no different than running an untrusted setup.exe.
>>
>>In fact, the mirror list used by setup.exe does not contain the
>>official ftp.cygwin.com site, giving users no choice but to use (and
>>trust) mirrors.
>
>Do you actually have a question or do you just want to speak your
>piece?  Seems to me that you're asking questions but then not really
>paying attention to the answers, even when they come from a project
>leader.  Perhaps you want to come at this again and clarify whether
>you're looking for information or just want to make a statement.

No, please.  Can't we just drop this?  This is obviously just one of
those pointless cyclic usenet discussions which doesn't go anywhere.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/