This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: MD5s of setup.exe on mirrors.
On Fri, May 11, 2007 at 02:42:33PM -0700, Alexander Sotirov wrote:
>Christopher Faylor wrote:
>>>Nobody seemed to care. Considering the fact that MD5 collisions are
>>>now trivial to generate, it probably doesn't matter much anyways - the
>>>fact that your copy of setup.exe has the right MD5 doesn't mean that it
>>>hasn't been tampered with.
>>
>>We don't control the content of mirrors.
>>
>>If you think this is an issue, contact the mirror(s) in question.
>
>This is an issue with the Cygwin website, not the mirrors.
That is your opinion.
>There is a chain of trust from http://cygwin.com to the mirrors. Since
>the official Cygwin site list these mirrors at
>http://cygwin.com/mirrors.html, you're endorsing them as an officially
>approved locations to download Cygwin. This means that you have to
>monitor reports about misbehaving mirrors and remove ones that
>distribute corrupted or possibly malicious binaries under the Cygwin
>name.
If/when we find a mirror distributing a malicious binary we will remove
it.
However, in the meantime, I would suggest that people only use the
setup.exe that is distributed from cygwin.com, i.e., click on the
"Install Cygwin Now" link.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/