X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=1.2 required=5.0	tests=AWL,BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,FSL_FREEMAIL_1,FSL_FREEMAIL_2,RCVD_IN_DNSWL_NONE,RCVD_IN_HOSTKARMA_YE,RP_MATCHES_RCVD,UNPARSEABLE_RELAY
X-Spam-Check-By: sourceware.org
X-Yahoo-SMTP: 5dK18waswBAT5ulP1CdMKt9Jhcrn
Message-ID: <50629F1D.7070406@yahoo.com>
Date: Tue, 25 Sep 2012 23:22:21 -0700
From: Bry8 Star <bry8star AT yahoo DOT com>
Reply-To: bry8star AT yahoo DOT com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: include SHA1/MD5 hash/digest of setup.exe, and use HTTPS
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Hello,
Please include SHA1/MD5 hash/digest code of "setup.exe" file, on webpage
next to "setup.exe" download url-link.
so we know for sure, if we have a correct file or not, and someone in
middle (MITM) has not changed it.

Windows users prefer to verify files rather with sha1/md5 etc, than
using asc, as asc verification is more complicated.

And also, please distribute the setup.exe, via using a HTTPS based
URL/site. So we/users can get it securely (and over encrypted
connections) from your site, cygwin.com

No need for a paid/purchased SSL/TLS certificate. A self-signed or
CAcert or other free cert (various cert providers have free cert for
non-profit or open-source developers), is more than enough & suffice.
Much much better than using no encryption at all.

Does the "setup.exe" connect to Internet/mirror sites using https or
SSL/TLS encrypted connections ?
if not please, change "setup.exe" codes further, so that at least
initial connections while obtaining hash/digest/asc code of other source
files are obtained via using SSL/TLS (if that source site supports). You
should have or host the hash/digest/asc files of all source files under
cygwin.com site. A larger sized source file or binary file can be
downloaded via non-https way, ONLY if the hash/digest/asc codes were
already obtained through SSL/TLS/HTTPS connection in early.

Thanks, Thanks, Thanks.
-- Bry8 Star. (Bry8Star).

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple