X-Spam-Check-By: sourceware.org Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: MD5s of setup.exe on mirrors. Date: Mon, 14 May 2007 17:03:05 -0400 Message-ID: <31DDB7BE4BF41D4888D41709C476B657068AAFBC@NIHCESMLBX5.nih.gov> In-Reply-To: <4648B71D.4000804@determina.com> References: <20070514182135 DOT GA6692 AT trixie DOT casa DOT cgf DOT cx> <4648B71D DOT 4000804 AT determina DOT com> From: "Buchbinder, Barry (NIH/NIAID) [E]" To: X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id l4EL3I1B013813 Alexander Sotirov wrote on Monday, May 14, 2007 3:23 PM: > Christopher Faylor wrote: >> That + if you want to talk about trust then you should trust the >> method that we advertise for installing cygwin which is to click on >> the "Install Cygwin Now!" link. > > Are you saying that I should trust setup.exe downloaded from > cygwin.com more than setup.exe downloaded from a mirror? That doesn't > make sense. > > Even if I download setup.exe from cygwin.com, it still fetches the > package data from a mirror. As far as I know the package data is not > signed, so setup.exe cannot verify that is has not been tampered > with. If a mirror has a modified bash package with a malicious binary > in it, the result will be no different than running an untrusted > setup.exe. > > In fact, the mirror list used by setup.exe does not contain the > official ftp.cygwin.com site, giving users no choice but to use (and > trust) mirrors. > > Alex Alex and Markus, This thread has been going on for close to 3 days now. I respectfully suggest that you have spent far more time on these emails than you would have by just using setup as documented . Indeed, if you had used setup as documented, you would not have noticed anything. (Ditto for the time to look up the mirrors, downloading setup from the mirrors, and then run the checksums.) Also, I would guess that undocumented methods of getting setup.exe (e.g., pulling it off a mirror) are probably not supported by this list and might therefore be considered to be off topic. I understand that you are perturbed that setup does not behave as you might have expected. However, having used cygwin and followed this mailing list since well before setup was introduced (one downloaded a single zip file in those days), I can tell you that you are not the first person to question this or that aspect of setup. Let it suffice for me to say that the people who designed and programmed setup actually use it. They are well aware of any problems and limitations that setup.exe might have. They put a lot of thought into its design and a lot of work into its coding. I would suggest that if they made decisions differently than you might have, you should consider giving them the benefit of the doubt and assume that they had good reasons for things to be arranged as they are. Otherwise, PTC. This reminds me of a conversation I heard over the weekend. A man showed a physician (a professor at Johns Hopkins Medical School) a nasty rash that he had. She told him that it might be caused by an infectious agent and that he should see his doctor ASAP and possibly get antibiotics. He started arguing with her about the sensibility of her diagnosis and advice. When I realized the absurdity of the situation, I could not refrain from interjecting "Why are you arguing with her!?!" He responded that he was a lawyer and tended to argue with everyone. If one is really disturbed by these issues, one might look into ways other than cygwin to get POSIX onto a Windows machine. For the record, here's what I do. - I download setup.exe to a local disk from "Install Cygwin Now" . - I run setup.exe from this downloaded copy. - When I run setup.exe, it tells me if setup.ini was generated for use in a setup version newer than the one that I am running. - When so informed, I cancel the run, re-download setup.exe, and start my setup.exe run over. The advantage of this is that one need not download setup each time, thereby saving a bit of bandwidth. FYI: Setup functionality is described here: . - Barry - Disclaimer: Statements made herein are not made on behalf of NIAID. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/