This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: MD5s of setup.exe on mirrors.

From: ls-cygwin-2006 at m-e-leypold dot de
To: cygwin at cygwin dot com
Date: Sat, 12 May 2007 10:53:43 +0200
Subject: Re: MD5s of setup.exe on mirrors.
References: <5qd5179mvu.fsf@hod.lan.m-e-leypold.de> <4644CB03.9070707@determina.com>

Alexander Sotirov <asotirov@determina.com> writes:

> ls-cygwin-2006@m-e-leypold.de wrote:
>> Cygwin mirrors have in their toplevel a setup.exe and an md5.sum. The
>> m5sum is
>> 
>>   ae1944f528338033bab3b4710d5bd736  setup.bz2
>>   b31ddcef84f25919a5d3184167b4a90d  setup.exe
>>   0503889504b7ff0b23e65586a522b3ad  setup.ini
>> 
>> whereas the setup.exe has actually the md5sum:
>> 
>>   fbc848393ed05ef4f51a253f75bcafeb
>> 
>> I checked that for ftp://mirror.switch.ch/mirror/cygwin/setup.exe and
>> ftp://ftp.mirror.ac.uk/sites/sources.redhat.com/ftp/cygwin/setup.exe
>> and some others.
>
> I reported this in January: http://cygwin.com/ml/cygwin/2007-02/msg00006.html
>
> Nobody seemed to care. Considering the fact that MD5 collisions are now trivial
> to generate, it probably doesn't matter much anyways - the fact that your copy
> of setup.exe has the right MD5 doesn't mean that it hasn't been tampered with.

Hi Alex,

BTW, thanks for your references in your January post to sources on
MD5-collision -- I hadn't realized that the risk of a successful
attack is far from purely academic now (though, as I understand,
creating a collision between to meaningful documents/programs seems to
require that the attacker controls both, which isn't the case here).

WRT setup.exe: I now see, that you also referred to the cygwin ftp
site (which I ignored since it's not linked on the mirrors page at
cygwin.com. Setup.exe there has the right md5sum (the setup.exe I've
been referring to was the one linked from the http site pages).

Since I assume that the mirrors pull from the cygwin ftp site
something even stranger is happening there. Since all mirrors I
checked so far are carrying the changed setup.exe, I'd locate the
common cause for all that somewhere at the cygwin side rather than at
the mirrors.

@ the cygwin team: I suggest you touch(1) setup.exe once at the master
site to trigger a new transfer to the mirrors and see what
happens. This is a thing you can do for all of us and will cost you
hardly anything. I don't see the mirror users on the other side
writing to the all mirror admins -- which, if I'm right, would have to
come back to you anyway.

And yes, I agree: The thought that the mirrors can get out of sync in
this way with the master site is somewhat unsettling, despite the fact
that there are md5sums for every source and binary package. Reminds
me, that my mirroring-to-CD tool should actively check all md5sums
before creating the ISO image.

Regards -- Markus

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- RE: MD5s of setup.exe on mirrors.
  - From: Dave Korn

References:
- MD5s of setup.exe on mirrors.
  - From: ls-cygwin-2006
- Re: MD5s of setup.exe on mirrors.
  - From: Alexander Sotirov

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]