hacked package on server

Louis Kruger lpkruger@cs.wisc.edu
Mon Jul 16 16:17:00 GMT 2007

> On Mon, Jul 16, 2007 at 10:30:52AM -0500, Louis Kruger wrote:
> > I also have a complaint:  the dialog that notifies the user of the failed 
> > MD5 is not well designed.  The dialog asks "Do you want to skip the 
> > package?" and has a yes and no button.  I read it quickly and pressed no 
> > before thinking about it, the package went ahead and tried to install.  I 
> > think there should be a little more effort to restrain the user from 
> > performing a dangerous action such as installing a package with a wrong MD5.
> Good point.  The message should probably be
> Do you want to not skip the package (No/Yes)?
> cgf

I realize you are joking, but the wording of the message is beside the 
point.  For an ordinary end-user, installing a file with a wrong MD5 is 
the wrong (and dangerous) thing to do in just about any case I can think 
of.  Therefore it should not be equally easy to select either option.

My opinion is that the setup program should abort immediately on 
detecting a wrong MD5 with a message that the server may have been 
compromised.  If there is a special case where someone may actually want 
this, it should be something non-obvious, like a -allow-wrong-md5 flag 
to the setup program.


Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list