This is the mail archive of the
mailing list for the Cygwin project.
include SHA1/MD5 hash/digest of setup.exe, and HTTPS
- From: Bry8 Star <bry8star at yahoo dot com>
- To: cygwin at cygwin dot com
- Date: Wed, 26 Sep 2012 04:57:24 -0700
- Subject: include SHA1/MD5 hash/digest of setup.exe, and HTTPS
- Reply-to: bry8star at yahoo dot com
Please include SHA1/MD5 hash/digest code of "setup.exe" file, on webpage
next to "setup.exe" download url-link.
so we can know for sure, if we have a correct file or not, and someone
in middle (MITM) has not changed it.
Windows users prefer to verify files rather with sha1/md5 etc, than
using asc, as asc verification is more complicated.
And also, please distribute the setup.exe, via using a HTTPS based
URL/site. So we/users can get it securely (and over encrypted
connections) from your site, cygwin.com
No need for a paid/purchased SSL/TLS certificate. A self-signed or
CAcert or other free cert (various cert providers have free cert for
non-profit or open-source developers), is more than enough & suffice.
Much much better than using no encryption at all.
Does the "setup.exe" connect to Internet/mirror sites using https or
SSL/TLS encrypted connections ?
if not please, change "setup.exe" codes further, so that at least
initial connections while obtaining hash/digest/asc code of other source
files are obtained via using SSL/TLS (if that source site supports). You
should have or host the hash/digest/asc files of all source files under
cygwin.com site. A larger sized source file or binary file can be
downloaded via non-https way, ONLY if the hash/digest/asc codes were
already obtained through SSL/TLS/HTTPS connection in early.
Thanks, Thanks, Thanks.
-- Bry8 Star. (Bry8Star).
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple