MD5s of setup.exe on mirrors.

Larry Hall (Cygwin)
Mon May 14 19:50:00 GMT 2007

Alexander Sotirov wrote:
> Christopher Faylor wrote:
>> That + if you want to talk about trust then you should trust the method
>> that we advertise for installing cygwin which is to click on the
>> "Install Cygwin Now!" link.
> Are you saying that I should trust setup.exe downloaded from more
> than setup.exe downloaded from a mirror? That doesn't make sense.
> Even if I download setup.exe from, it still fetches the package data
> from a mirror. As far as I know the package data is not signed, so setup.exe
> cannot verify that is has not been tampered with. If a mirror has a modified
> bash package with a malicious binary in it, the result will be no different than
> running an untrusted setup.exe.
> In fact, the mirror list used by setup.exe does not contain the official
> site, giving users no choice but to use (and trust) mirrors.

Do you actually have a question or do you just want to speak your piece?
Seems to me that you're asking questions but then not really paying
attention to the answers, even when they come from a project leader.
Perhaps you want to come at this again and clarify whether you're looking
for information or just want to make a statement.

Larry Hall                    
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746


A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list