X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=WjBxBlEYw2t3Hg7t
	wHcm8YIVnEOwjCf2yZVRucO8iW/iePowlNOYEOyq8mepi94zGcl7ch+Bk1SaKVyD
	6zCilDvNTTXiCr6mRRgB8VL6+Iw+/NWLid1GjXR2XFWkmLl1PtdNoXyDdxPIazpx
	e4i8Y54p2DRaZ+/1zeekAd9cy3w=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=SfUa5zzxagHudT+QT6qww/
	mUg24=; b=ObueJ9p0ERlSsurlS+JGNjvdRH6+/i1WfxbMF/Vw+YvAnajBobtYLV
	gGq55nz3GzqAOIqZhk6Z+8QP3sz0guO/rvGSNmNzcPpsEG4WItzWX7/t4knpPhD1
	V8g8TrvQMUD/wbuj/43Fw6bjHHYqaSu7UQs7hcR4+f80c+w/YGm28=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-5.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_1,KAM_SHORT,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=movement, Canada, H*RU:sk:smtp-ou, controller
X-HELO: smtp-out-no.shaw.ca
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject: Re: another question about cygwin bash trying to make connections
To: cygwin AT cygwin DOT com
References: <3af7d373-de36-cb8d-04ad-04ccda05667b AT molconn DOT com> <4397f4e8-a867-67b6-beed-018adbe5b4cc AT gmail DOT com> <99d7614e-b49d-6a15-dfee-7d1e030d55af AT molconn DOT com>
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Openpgp: preference=signencrypt
Message-ID: <2e89fd33-7352-a179-b014-4387f6d5de00@SystematicSw.ab.ca>
Date: Wed, 8 Jan 2020 10:10:47 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <99d7614e-b49d-6a15-dfee-7d1e030d55af@molconn.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

On 2020-01-07 16:02, LMH wrote:
> Marco Atzeri wrote:
>> Am 07.01.2020 um 21:58 schrieb LMH:
>>> This is the version of bash,
>>>
>>> GNU bash, version 4.3.42(4)-release (i686-pc-cygwin)
>>>
>>> it would be very helpful as a first step if I could find a verified 
>>> digital signature for this version of bash. The index here,
>>>
>>> https://ftp.gnu.org/gnu/bash/
>>> 
>>> gives an archive of bash with a signature for each tar.gz but not the 
>>> signature for each version of the extracted binary.

GNU packages are source only and GNU does not distribute binaries. Some GNU
maintainers may make binaries available from their own personal systems.

Binaries are built for each platform with some compiler version that runs on
that platform, so each binary for each platform, compiler, and compilation run
has a different digital signature, as each compilation run typically injects
time stamps and other run-dependent data, especially with included debug info.

The reproducible build movement is trying to reduce and eliminate those
variations for easier binary validation and verification, but requires tool
chains which support suppression of all info not strictly dependent on the
source code, compiler, tools, and platform versions.

Each source package is typically packaged with components for that platform
package, so the best you can do is probably check the signature of the original
GNU bash source package against the copy included verbatim in the Cygwin source
package as the build base; the hashes of the downloaded Cygwin bash source and
binary packages against those in your latest downloaded setup.ini or the
x86{,_64}/release/bash/sha512.sum file on your local mirror or the sourceware
mirror; and the signature of x86{,_64}/setup.ini in x86{,_64}/setup.ini.sig on
your local mirror or the sourceware mirror.

>> that is not the last version of bash, so I guess your system is not
>> updated anyway
>> 
>> $ bash --version
>> GNU bash, version 4.4.12(3)-release (i686-pc-cygwin)

> No, this is an older system that I keep around to run and test XP software 
> on. It has the latest version of cygwin that still supports XP (2.874). This
> system isn't on the internet very often.
> 
> It is still of interest to me to understand how the components of cywgin
> work and what controls such things as how and why IPC may be triggered. This
> is especially true when I see behavior that doesn't make sense to me. I
> don't see any reason why bash should need to communicate with svchost every
> time it is run, especially where blocking that communication has no
> discernible effect.
> 
> If this is evidence of a system problem somewhere, I of course would like to
> know about that as well.

If you are or appear to be on a domain, any Cygwin access to user and some other
info may invoke a Windows call which accesses the domain controller.

On newer systems, if you have not disabled Windows usage monitoring, data
collection, and submission to MicroSoft, or have any MicroSoft accounts instead
of local accounts, any Windows call may access MicroSoft domain systems.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple