X-Spam-Check-By: sourceware.org
From: "Dave Korn" <dave DOT korn AT artimi DOT com>
To: <cygwin AT cygwin DOT com>
References: <5qd5179mvu DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <4644CB03 DOT 9070707 AT determina DOT com> <o7d5164e3s DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <063001c7947a$3312cea0$2e08a8c0 AT CAM DOT ARTIMI DOT COM> <lblkfu5olv DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <46461FA2 DOT E6EFA773 AT dessent DOT net> <i646w3lyh DOT fsf AT hod DOT lan DOT m-e-leypold DOT de> <20070513161110 DOT GA5651 AT ednor DOT casa DOT cgf DOT cx> <46489A67 DOT 7090503 AT determina DOT com> <4648A523 DOT 1010705 AT cygwin DOT com> <20070514182135 DOT GA6692 AT trixie DOT casa DOT cgf DOT cx> <4648B71D DOT 4000804 AT determina DOT com>
Subject: RE: MD5s of setup.exe on mirrors.
Date: Mon, 14 May 2007 20:57:10 +0100
Message-ID: <073301c79662$0ef272c0$2e08a8c0@CAM.ARTIMI.COM>
MIME-Version: 1.0
Content-Type: text/plain; 	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <4648B71D.4000804@determina.com>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 14 May 2007 20:23, Alexander Sotirov wrote:

> Even if I download setup.exe from cygwin.com, it still fetches the package
> data from a mirror. As far as I know the package data is not signed, so
> setup.exe cannot verify that is has not been tampered with. If a mirror has
> a modified bash package with a malicious binary in it, the result will be
> no different than running an untrusted setup.exe.

  You're half-way there: you're completely right that the package data is not
signed, and therefore setup.exe cannot verify it has not been tampered with.

  The missing part of the puzzle is to realise that the md5sums for the
packages are /not/ there for any kind of trust or authenticity.  They are
*solely* there to provide robust checksums against download errors.  All other
considerations are irrelevant.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/