MD5s of setup.exe on mirrors.

Christopher Faylor
Sat May 12 01:52:00 GMT 2007

On Fri, May 11, 2007 at 02:42:33PM -0700, Alexander Sotirov wrote:
>Christopher Faylor wrote:
>>>Nobody seemed to care.  Considering the fact that MD5 collisions are
>>>now trivial to generate, it probably doesn't matter much anyways - the
>>>fact that your copy of setup.exe has the right MD5 doesn't mean that it
>>>hasn't been tampered with.
>>We don't control the content of mirrors.
>>If you think this is an issue, contact the mirror(s) in question.
>This is an issue with the Cygwin website, not the mirrors.

That is your opinion.

>There is a chain of trust from to the mirrors.  Since
>the official Cygwin site list these mirrors at
>, you're endorsing them as an officially
>approved locations to download Cygwin.  This means that you have to
>monitor reports about misbehaving mirrors and remove ones that
>distribute corrupted or possibly malicious binaries under the Cygwin

If/when we find a mirror distributing a malicious binary we will remove

However, in the meantime, I would suggest that people only use the
setup.exe that is distributed from, i.e., click on the
"Install Cygwin Now" link.

Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list