This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: MD5s of setup.exe on mirrors.


Christopher Faylor wrote:
> That + if you want to talk about trust then you should trust the method
> that we advertise for installing cygwin which is to click on the
> "Install Cygwin Now!" link.

Are you saying that I should trust setup.exe downloaded from cygwin.com more
than setup.exe downloaded from a mirror? That doesn't make sense.

Even if I download setup.exe from cygwin.com, it still fetches the package data
from a mirror. As far as I know the package data is not signed, so setup.exe
cannot verify that is has not been tampered with. If a mirror has a modified
bash package with a malicious binary in it, the result will be no different than
running an untrusted setup.exe.

In fact, the mirror list used by setup.exe does not contain the official
ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors.

Alex

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]