X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; q=dns; s=default; b=a7U7YUs h4BIgoLuHwpKyW9BZ42j7UIy3Bauo/BbGmYYachbFLDPD3GhLCUafczlkgwi94aZ 6t5VF4GFKPqcrh9WnX/fWqL96trtrws4gY0Dr8xcGKv9C+RpoMJwrblJOQUDsfsd f2Z70pK5g1KD3neIIpgYKys9T99dvWpvHdHY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; s=default; bh=QUl8www3+skH8 n5LBIu/vJTjqqA=; b=qAn45zexS0zUqK3+nKNQabf8+U5kUgLMhdyUi0r6wf35V LtAr2sib4dJ9NUeGlP/EAYfuBvC+etYtg7MKN92CdUkMlpcDhJaR96hFhQKZXCVV tnNIb2PrCXHzRk13MQK7RLBhtTr4q8uJdLgT/riZu3d+MFQjtuWlSMEhUanR1s= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=H*r:a0c, attack, proper X-HELO: mail-qt1-f181.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=rDxla3SNrZeUlBaIsNlYSPBBKMA2IKuwiT69w/3PbU0=; b=IaTtbuMS6liqQvPntoJnF20sLYUxdJCoDjmeQdTrxq1uE9aMmr5CMWGza/JHplGltC 6YP4qC9285fKWIO7XKCiH1bKqeChisHRhwjvbie0a5B4pe0zn5iAcda3Ye0eEAQfmGbk 1du4jnlIm4617bvB7COPhCOfhb7kWaKs1rwb7aRb3vb5qiEKZNgFUb83lBS+zmGNC2zh j3cYrGRZXCpMJeDla73/gq4QlML8aLRbKWn9AbvwkD/+DWJlO0LGZ2w/vp/7ZXY5ySPh IzDapuMg7oeWWbhBnlt+xOlXCt3rFVZTIfkdVf9f4Oz8Q9UCZ4ElklNTFsSuNY8v+muu HC2w== MIME-Version: 1.0 In-Reply-To: <1715197846.20190312233340@yandex.ru> References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <1406950005 DOT 20190312031618 AT yandex DOT ru> <1715197846 DOT 20190312233340 AT yandex DOT ru> From: Lee Date: Tue, 12 Mar 2019 17:14:51 -0400 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin AT cygwin DOT com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes On 3/12/19, Andrey Repin wrote: > Greetings, Lee! > >>> Which is way worse in my opinion, than any theoretical MITM attack, >>> which >>> is easily mitigated with proper validation of your downloads. > >> Serious question - exactly how does one do "proper validation of your >> downloads"? > > Use PGP signature to validate the installer. Use separate channel to obtain > trust records for PGP key used in signing. Yes, in the ideal world. But at least in my experience, most windows software doesn't come with a pgp signature & using a separate channel to get the pgp key isn't so easy. Just out of curiosity.. has the cygwin public key been posted in multiple places or sent to the mailing list? Getting the exe, sig & key from https://cygwin.com/install.html seems not the best security. > And not blindly trust "supposedly-secure" connections. I don't. But I trust TLS connections a lot more than I trust clear-text connections. Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple