X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.8 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <4B9EEC2D.9020602@monai.ca>
References: <1268526388 DOT 20918 DOT ezmlm AT cygwin DOT com> 	 <Pine DOT LNX DOT 4 DOT 58 DOT 1003141111350 DOT 14642 AT mail3 DOT jubileegroup DOT co DOT uk> 	 <20100314163002 DOT GA12172 AT ednor DOT casa DOT cgf DOT cx> 	 <03988E63C1BD48809EA3A27E4D6A3661 AT phoenix> <4B9D1B9C DOT 6000302 AT monai DOT ca> 	 <20100314190223 DOT GD13515 AT ednor DOT casa DOT cgf DOT cx> <4B9EEC2D DOT 9020602 AT monai DOT ca>
Date: Tue, 16 Mar 2010 10:53:17 +0100
Message-ID: <1ef5a52f1003160253g55aa7bf7l79bda3768f50c969@mail.gmail.com>
Subject: Re: incomplete/corrupted setup.exe
From: Csaba Raduly <rcsaba AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Tue, Mar 16, 2010 at 3:25 AM, Steven Monai wrote:
[snip]
> IT departments are becoming increasingly security conscious. That's
> probably why the OP had trouble downloading setup.exe. It wasn't because
> his IT was "brain-dead", but because there are legitimate security
> concerns about downloading an unsigned exe over a non-SSL-authenticated
> channel.

Unfortunately, many IT departments follow the "We must do something.
This is something. Therefore we must do this." action plan :/
Installing a webfilter falls into this category, IMO.

> I suggest people inform themselves about the current state of art in
> "man-in-the-middle" hijacking attacks, because the means by which
> cygwin.com currently distributes setup.exe is vulnerable to a MITM
> surreptitiously delivering a trojan setup.exe in place of the actual.
> For this reason, I caution Cygwin users against downloading setup.exe
> over unsafe networks (e.g. public wireless hotspots, hotel networks, etc.).

Or the Internet, in general :)

Perhaps the MD5 and/or SHA1 checksums for the current setup.exe should
be published (and updated every time there's a new release) next to
the download link (like Apache does, for example)

-- 
Life is complex, with real and imaginary parts

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple