hacked package on server
Mon Jul 16 16:17:00 GMT 2007
> On Mon, Jul 16, 2007 at 10:30:52AM -0500, Louis Kruger wrote:
> > I also have a complaint: the dialog that notifies the user of the failed
> > MD5 is not well designed. The dialog asks "Do you want to skip the
> > package?" and has a yes and no button. I read it quickly and pressed no
> > before thinking about it, the package went ahead and tried to install. I
> > think there should be a little more effort to restrain the user from
> > performing a dangerous action such as installing a package with a wrong MD5.
> Good point. The message should probably be
> Do you want to not skip the package (No/Yes)?
I realize you are joking, but the wording of the message is beside the
point. For an ordinary end-user, installing a file with a wrong MD5 is
the wrong (and dangerous) thing to do in just about any case I can think
of. Therefore it should not be equally easy to select either option.
My opinion is that the setup program should abort immediately on
detecting a wrong MD5 with a message that the server may have been
compromised. If there is a special case where someone may actually want
this, it should be something non-obvious, like a -allow-wrong-md5 flag
to the setup program.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
More information about the Cygwin