Re: MD5s of setup.exe on mirrors.

[Markus E.L. <ls-cygwin-2006 at m-e-leypold dot de>]

"LarryHall(Cygwin)" writes:

> Alexander Sotirov wrote:
>> Christopher Faylor wrote:
>>> That + if you want to talk about trust then you should trust the method
>>> that we advertise for installing cygwin which is to click on the
>>> "Install Cygwin Now!" link.
>> 
>> Are you saying that I should trust setup.exe downloaded from cygwin.com more
>> than setup.exe downloaded from a mirror? That doesn't make sense.
>> 
>> Even if I download setup.exe from cygwin.com, it still fetches the package data
>> from a mirror. As far as I know the package data is not signed, so setup.exe
>> cannot verify that is has not been tampered with. If a mirror has a modified
>> bash package with a malicious binary in it, the result will be no different than
>> running an untrusted setup.exe.
>> 
>> In fact, the mirror list used by setup.exe does not contain the official
>> ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors.
>
> Do you actually have a question or do you just want to speak your piece?

He probably forgot that the list is for questions only.

> Seems to me that you're asking questions but then not really paying
> attention to the answers, even when they come from a project leader.
> Perhaps you want to come at this again and clarify whether you're looking
> for information or just want to make a statement.

<Shaking my head>. 

Regards -- Markus

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/