X-Spam-Check-By: sourceware.org
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; 	charset="us-ascii"
Subject: RE: MD5s of setup.exe on mirrors.
Date: Mon, 14 May 2007 17:03:05 -0400
Message-ID: <31DDB7BE4BF41D4888D41709C476B657068AAFBC@NIHCESMLBX5.nih.gov>
In-Reply-To: <4648B71D.4000804@determina.com>
References: <20070514182135 DOT GA6692 AT trixie DOT casa DOT cgf DOT cx> <4648B71D DOT 4000804 AT determina DOT com>
From: "Buchbinder, Barry (NIH/NIAID) [E]" <BBuchbinder AT niaid DOT nih DOT gov>
To: <cygwin AT cygwin DOT com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id l4EL3I1B013813

Alexander Sotirov wrote on Monday, May 14, 2007 3:23 PM:
> Christopher Faylor wrote:
>> That + if you want to talk about trust then you should trust the
>> method that we advertise for installing cygwin which is to click on
>> the "Install Cygwin Now!" link.
> 
> Are you saying that I should trust setup.exe downloaded from
> cygwin.com more than setup.exe downloaded from a mirror? That doesn't
> make sense.
> 
> Even if I download setup.exe from cygwin.com, it still fetches the
> package data from a mirror. As far as I know the package data is not
> signed, so setup.exe cannot verify that is has not been tampered
> with. If a mirror has a modified bash package with a malicious binary
> in it, the result will be no different than running an untrusted
> setup.exe.
> 
> In fact, the mirror list used by setup.exe does not contain the
> official ftp.cygwin.com site, giving users no choice but to use (and
> trust) mirrors.
> 
> Alex

Alex and Markus,

This thread has been going on for close to 3 days now.  I respectfully
suggest that you have spent far more time on these emails than you would
have by just using setup as documented
<http://cygwin.com/cygwin-ug-net/setup-net.html>.  Indeed, if you had
used setup as documented, you would not have noticed anything.  (Ditto
for the time to look up the mirrors, downloading setup from the mirrors,
and then run the checksums.)  Also, I would guess that undocumented
methods of getting setup.exe (e.g., pulling it off a mirror) are
probably not supported by this list and might therefore be considered to
be off topic.

I understand that you are perturbed that setup does not behave as you
might have expected.  However, having used cygwin and followed this
mailing list since well before setup was introduced (one downloaded a
single zip file in those days), I can tell you that you are not the
first person to question this or that aspect of setup.  Let it suffice
for me to say that the people who designed and programmed setup actually
use it.  They are well aware of any problems and limitations that
setup.exe might have.  They put a lot of thought into its design and a
lot of work into its coding.  I would suggest that if they made
decisions differently than you might have, you should consider giving
them the benefit of the doubt and assume that they had good reasons for
things to be arranged as they are.  Otherwise, PTC.

<OT_aside>
This reminds me of a conversation I heard over the weekend.  A man
showed a physician (a professor at Johns Hopkins Medical School) a nasty
rash that he had.  She told him that it might be caused by an infectious
agent and that he should see his doctor ASAP and possibly get
antibiotics.  He started arguing with her about the sensibility of her
diagnosis and advice.  When I realized the absurdity of the situation, I
could not refrain from interjecting "Why are you arguing with her!?!"
He responded that he was a lawyer and tended to argue with everyone.
</OT_aside>

If one is really disturbed by these issues, one might look into ways
other than cygwin to get POSIX onto a Windows machine.

For the record, here's what I do.

  - I download setup.exe to a local disk from "Install Cygwin Now"
<http://www.cygwin.com/>.
  - I run setup.exe from this downloaded copy.
  - When I run setup.exe, it tells me if setup.ini was generated for use
in a setup version newer than the one that I am running.
  - When so informed, I cancel the run, re-download setup.exe, and start
my setup.exe run over.

The advantage of this is that one need not download setup each time,
thereby saving a bit of bandwidth.

FYI: Setup functionality is described here:
<http://sourceware.org/cygwin-apps/setup-head.ini.html>.

- Barry
  -  Disclaimer: Statements made herein are not made on behalf of NIAID.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/