X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
Subject: Mirrors in GPL violation? + Re: MD5s of setup.exe on mirrors.
References: <20070514182135 DOT GA6692 AT trixie DOT casa DOT cgf DOT cx> 	<4648B71D DOT 4000804 AT determina DOT com> 	<31DDB7BE4BF41D4888D41709C476B657068AAFBC AT NIHCESMLBX5 DOT nih DOT gov>
From: "Markus E.L." <ls-cygwin-2006 AT m-e-leypold DOT de>
Date: Tue, 15 May 2007 01:23:55 +0200
Message-ID: <y2lkfrkn04.fsf@hod.lan.m-e-leypold.de>
User-Agent: Some cool user agent (SCUG)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com


"Buchbinder,Barry(NIH/NIAID)[E]" writes:

<long explanation>

Barry, my and (AFAI understand) Alex' problem is not with using setup
- I for my part am quite comfortable with how I start setup. Alex (in
my humble opinion rightly) is concerned with questions of trust and
endorsement (like: cygwin.com lists the mirrors as source of the
software, then declines any responsibility for the actual content of
those mirrors down to "we cannot be bothered with working with the
mirror admins even if they (would) carry the wrong software with our
name on it" -- I wouldn't handle it like that, but YMMV). I now prefer
not to touch this subject, having already gotten flamed my ass off
this week (so I'm tending the blisters instead) but I think, Alex'
considerations (which have broader implications on "how do I, how does
anyone distribute software") are legitimate. Perhaps they can even
lead to a wishlist for the next generation of setup? Cryptographically
strong signed checksums are all the rage presently in package managers
and for a good reason: A malicious mirror or a careless mirror
administrator provide an excellent attack vector (this has already
happened in a number of related scenarios) and it would be a boon to
the users of cygwin not to have to trust the security or the
comptetence of some university run mirrors (no staff, no money)
instead of only the cygwin team.

My concern on the other side was only: "What the hell is md5.sum (on
the mirrors) then for, if it doesn't contain the right sums".

If I where the cygwin team, and felt so strongly about nobody ever
running setup.exe from the mirrors, I'd probably pull it from the
master sites (and consequently the mirrors) and replace it by a README
effectively telling the reader to get/run setup.exe from
cygwin.com. This would be in concordance with the fact that setup is
already organised as a seperate project.

  http://cygwin.com/setup/

Interesting enough, setup seems to be GPL (most of the sources carry a
GPL header), but the mirrors don't carry the source (since the source
is only on http://cygwin.com/setup). Do they violate the GPL then?
Pulling setup.exe from the mirrors' master site would fix that too.

> This thread has been going on for close to 3 days now.  

Is there a well known time limit on threads?

Regards -- Markus


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/