X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=S6bQM4a7L33CuFhubBwbETkuoH/8Qriwgpgj+eDUav0Q8Z7/BzhZJ
	mdAyjaczL1NeX0gAMxbtQ6tfLKouNCtW51EZF9y5Fcg124ZrwaDZXxOJtK3MrwVQ
	Of/st9P3ppR5BJCHSXjmy3Mzx8X6EPrCQ9FcN+1uhN8Y8fbDdxe7Fg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; s=default;
	 bh=GmIRPU1Zeb9Ta11vqlMhA/2XCig=; b=o5VxatIW61hKeo6+aeRrgHY8dOif
	+S7x/TnabfnVHjLvnlc3MsCBQiENPqtzBTENsY3HRA3Ycfclqhi5Vzzgnjs2aCE+
	Nxp65Wpx01bz0hg7DTRyquyHSBLm1MCFzFcsHyLWoM/Fo13ChMlXqZTJpupMgMke
	+sNKEngKlipKz6I=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.4 required=5.0 tests=AWL,BAYES_50,RCVD_IN_DNSWL_LOW,RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS,T_FSL_HELO_BARE_IP_2,T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: plane.gmane.org
To: cygwin AT cygwin DOT com
From: Achim Gratz <Stromeko AT NexGo DOT DE>
Subject: Re: setting up private mirror
Date: Thu, 3 Sep 2015 14:50:46 +0000 (UTC)
Lines: 26
Message-ID: <loom.20150903T164337-216@post.gmane.org>
References: <CAJGdTOAdWrXN7T06fPxDM=UXk59_02C4Nga9p12unv4-BqBepw AT mail DOT gmail DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
User-Agent: Loom/3.14 (http://gmane.org/)
X-IsSubscribed: yes

Chris Louden <chris.louden <at> gmail.com> writes:
> The process seem fairly straight forward
> setting up an apache instance and rsycing twice a day. However our
> NetSec folks have asked is there is any way I can sync the local repo
> via an authenticated or encrypted method. I guess to rule out a man in
> the middle scenario.

You probably want to read

https://cygwin.com/faq/faq.html#faq.setup.install-security

I suppose.  Cygwin installation can't be tampered with unless you override
the signature check.  It doesn't matter how or where you are syncing your
local mirror from, setup.exe is going to check the gpg signature on the
setup.ini file it reads and it won't install any package that has a
different SHA512 checksum than what's noted (and been signed) in setup.ini.

If you want to do a check after mirroring, you'd need to roll your own
signature checking and setup.ini parsing.


Regards,
Achim.





--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple