X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=TFRE1QG5Pz8RsLyY jNE01oIwIiIuwkWLd4TK6mpq+6ZoXEI0I53BRwHsMOqwxmLH82QmTzdql+VyYz5J E/adqiWKEh1o4vBJNVkfv67UJSSGs3b9jL9DejeR301+IchBJ8aF+4jbSczQ8bAO 34SwY7Uwc5n4dQWVNxLkVip/3OY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=ZGcRhd8//UqZJhpDA1gWNc REBmA=; b=N27/uZmsLUD0EX/rnY6setlVSa9Ldchkoa0AzHTvF/YfnhkeA2F8Ge xXETHfU63uTpOmFTNmExvCyjbzD+d7CzUjSeu2kUThzqUzGfZoTb1Z1uHf6G+w5G W8hvJhe8TQa6GvMK0idGMLFanTZUoZeBjQ8JDLzmNUsTlhPje+a+U= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=obtaining, UD:ru, HX-Languages-Length:978, terrible X-HELO: forward100p.mail.yandex.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552426501; bh=onWb5JBjXqK257DI0eqID+uq8LnK9bTexrRgOJJ+yR4=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=heq/HngvDQPjHTn19ApEhkVTVnrA9Gn56oleg9XYZ0sDocZmcvkqENRy55a7c1Uts YA7IxloiZYNbfqeDbN93E+Ep2RRjbi+heyHATADFseUeHl2D75wv/lhIfQscVUlYmT oggvIvrlBdvdN98y5GUF57mY4xEa4QLJDi6s4Q+A= Authentication-Results: mxback6j.mail.yandex.net; dkim=pass header.i=@yandex.ru Date: Wed, 13 Mar 2019 00:34:20 +0300 From: Andrey Repin Reply-To: cygwin AT cygwin DOT com Message-ID: <3510142791.20190313003420@yandex.ru> To: Lee , cygwin AT cygwin DOT com Subject: Re: SSL not required for setup.exe download In-Reply-To: References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <1406950005 DOT 20190312031618 AT yandex DOT ru> <1715197846 DOT 20190312233340 AT yandex DOT ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, Lee! >> Greetings, Lee! >> >>>> Which is way worse in my opinion, than any theoretical MITM attack, >>>> which >>>> is easily mitigated with proper validation of your downloads. >> >>> Serious question - exactly how does one do "proper validation of your >>> downloads"? >> >> Use PGP signature to validate the installer. Use separate channel to obtain >> trust records for PGP key used in signing. > Yes, in the ideal world. But at least in my experience, most windows > software doesn't come with a pgp signature & using a separate channel > to get the pgp key isn't so easy. In my experience, this is a Cygwin mailing list and we're discussing issues of obtaining and verifying the authenticity of setup.exe. P.S. In regard to Cygwin mailing list, please teach your mail agent to not quote raw email addresses. -- With best regards, Andrey Repin Wednesday, March 13, 2019 0:32:21 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple