X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=WjBxBlEYw2t3Hg7t wHcm8YIVnEOwjCf2yZVRucO8iW/iePowlNOYEOyq8mepi94zGcl7ch+Bk1SaKVyD 6zCilDvNTTXiCr6mRRgB8VL6+Iw+/NWLid1GjXR2XFWkmLl1PtdNoXyDdxPIazpx e4i8Y54p2DRaZ+/1zeekAd9cy3w= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=SfUa5zzxagHudT+QT6qww/ mUg24=; b=ObueJ9p0ERlSsurlS+JGNjvdRH6+/i1WfxbMF/Vw+YvAnajBobtYLV gGq55nz3GzqAOIqZhk6Z+8QP3sz0guO/rvGSNmNzcPpsEG4WItzWX7/t4knpPhD1 V8g8TrvQMUD/wbuj/43Fw6bjHHYqaSu7UQs7hcR4+f80c+w/YGm28= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-5.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_1,KAM_SHORT,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=movement, Canada, H*RU:sk:smtp-ou, controller X-HELO: smtp-out-no.shaw.ca Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca Subject: Re: another question about cygwin bash trying to make connections To: cygwin AT cygwin DOT com References: <3af7d373-de36-cb8d-04ad-04ccda05667b AT molconn DOT com> <4397f4e8-a867-67b6-beed-018adbe5b4cc AT gmail DOT com> <99d7614e-b49d-6a15-dfee-7d1e030d55af AT molconn DOT com> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <2e89fd33-7352-a179-b014-4387f6d5de00@SystematicSw.ab.ca> Date: Wed, 8 Jan 2020 10:10:47 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <99d7614e-b49d-6a15-dfee-7d1e030d55af@molconn.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 2020-01-07 16:02, LMH wrote: > Marco Atzeri wrote: >> Am 07.01.2020 um 21:58 schrieb LMH: >>> This is the version of bash, >>> >>> GNU bash, version 4.3.42(4)-release (i686-pc-cygwin) >>> >>> it would be very helpful as a first step if I could find a verified >>> digital signature for this version of bash. The index here, >>> >>> https://ftp.gnu.org/gnu/bash/ >>> >>> gives an archive of bash with a signature for each tar.gz but not the >>> signature for each version of the extracted binary. GNU packages are source only and GNU does not distribute binaries. Some GNU maintainers may make binaries available from their own personal systems. Binaries are built for each platform with some compiler version that runs on that platform, so each binary for each platform, compiler, and compilation run has a different digital signature, as each compilation run typically injects time stamps and other run-dependent data, especially with included debug info. The reproducible build movement is trying to reduce and eliminate those variations for easier binary validation and verification, but requires tool chains which support suppression of all info not strictly dependent on the source code, compiler, tools, and platform versions. Each source package is typically packaged with components for that platform package, so the best you can do is probably check the signature of the original GNU bash source package against the copy included verbatim in the Cygwin source package as the build base; the hashes of the downloaded Cygwin bash source and binary packages against those in your latest downloaded setup.ini or the x86{,_64}/release/bash/sha512.sum file on your local mirror or the sourceware mirror; and the signature of x86{,_64}/setup.ini in x86{,_64}/setup.ini.sig on your local mirror or the sourceware mirror. >> that is not the last version of bash, so I guess your system is not >> updated anyway >> >> $ bash --version >> GNU bash, version 4.4.12(3)-release (i686-pc-cygwin) > No, this is an older system that I keep around to run and test XP software > on. It has the latest version of cygwin that still supports XP (2.874). This > system isn't on the internet very often. > > It is still of interest to me to understand how the components of cywgin > work and what controls such things as how and why IPC may be triggered. This > is especially true when I see behavior that doesn't make sense to me. I > don't see any reason why bash should need to communicate with svchost every > time it is run, especially where blocking that communication has no > discernible effect. > > If this is evidence of a system problem somewhere, I of course would like to > know about that as well. If you are or appear to be on a domain, any Cygwin access to user and some other info may invoke a Windows call which accesses the domain controller. On newer systems, if you have not disabled Windows usage monitoring, data collection, and submission to MicroSoft, or have any MicroSoft accounts instead of local accounts, any Windows call may access MicroSoft domain systems. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple