This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: hacked package on server
- From: Louis Kruger <lpkruger at cs dot wisc dot edu>
- To: cygwin at cygwin dot com
- Date: Mon, 16 Jul 2007 11:17:43 -0500
- Subject: Re: hacked package on server
On Mon, Jul 16, 2007 at 10:30:52AM -0500, Louis Kruger wrote:
> I also have a complaint: the dialog that notifies the user of the failed
> MD5 is not well designed. The dialog asks "Do you want to skip the
> package?" and has a yes and no button. I read it quickly and pressed no
> before thinking about it, the package went ahead and tried to install. I
> think there should be a little more effort to restrain the user from
> performing a dangerous action such as installing a package with a wrong MD5.
Good point. The message should probably be
Do you want to not skip the package (No/Yes)?
cgf
I realize you are joking, but the wording of the message is beside the
point. For an ordinary end-user, installing a file with a wrong MD5 is
the wrong (and dangerous) thing to do in just about any case I can think
of. Therefore it should not be equally easy to select either option.
My opinion is that the setup program should abort immediately on
detecting a wrong MD5 with a message that the server may have been
compromised. If there is a special case where someone may actually want
this, it should be something non-obvious, like a -allow-wrong-md5 flag
to the setup program.
thanks,
Louis
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/