This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: MD5s of setup.exe on mirrors.


Christopher Faylor wrote:
>> Nobody seemed to care. Considering the fact that MD5 collisions are now trivial
>> to generate, it probably doesn't matter much anyways - the fact that your copy
>> of setup.exe has the right MD5 doesn't mean that it hasn't been tampered with.
> 
> We don't control the content of mirrors.
> 
> If you think this is an issue, contact the mirror(s) in question.

This is an issue with the Cygwin website, not the mirrors.

There is a chain of trust from http://cygwin.com to the mirrors. Since the
official Cygwin site list these mirrors at http://cygwin.com/mirrors.html,
you're endorsing them as an officially approved locations to download Cygwin.
This means that you have to monitor reports about misbehaving mirrors and remove
ones that distribute corrupted or possibly malicious binaries under the Cygwin name.


Alex

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]