This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: setting up private mirror


Chris Louden <chris.louden <at> gmail.com> writes:
> The process seem fairly straight forward
> setting up an apache instance and rsycing twice a day. However our
> NetSec folks have asked is there is any way I can sync the local repo
> via an authenticated or encrypted method. I guess to rule out a man in
> the middle scenario.

You probably want to read

https://cygwin.com/faq/faq.html#faq.setup.install-security

I suppose.  Cygwin installation can't be tampered with unless you override
the signature check.  It doesn't matter how or where you are syncing your
local mirror from, setup.exe is going to check the gpg signature on the
setup.ini file it reads and it won't install any package that has a
different SHA512 checksum than what's noted (and been signed) in setup.ini.

If you want to do a check after mirroring, you'd need to roll your own
signature checking and setup.ini parsing.


Regards,
Achim.





--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]