This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: SSL not required for setup.exe download


Greetings, Lee!

>> Greetings, Lee!
>>
>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>> which
>>>> is easily mitigated with proper validation of your downloads.
>>
>>> Serious question - exactly how does one do "proper validation of your
>>> downloads"?
>>
>> Use PGP signature to validate the installer. Use separate channel to obtain
>> trust records for PGP key used in signing.

> Yes, in the ideal world.  But at least in my experience, most windows
> software doesn't come with a pgp signature & using a separate channel
> to get the pgp key isn't so easy.

In my experience, this is a Cygwin mailing list and we're discussing issues
of obtaining and verifying the authenticity of setup.exe.

P.S.
In regard to Cygwin mailing list, please teach your mail agent to not quote
raw email addresses.


-- 
With best regards,
Andrey Repin
Wednesday, March 13, 2019 0:32:21

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]