MD5s of setup.exe on mirrors.
Mon May 14 19:50:00 GMT 2007
Christopher Faylor wrote:
> That + if you want to talk about trust then you should trust the method
> that we advertise for installing cygwin which is to click on the
> "Install Cygwin Now!" link.
Are you saying that I should trust setup.exe downloaded from cygwin.com more
than setup.exe downloaded from a mirror? That doesn't make sense.
Even if I download setup.exe from cygwin.com, it still fetches the package data
from a mirror. As far as I know the package data is not signed, so setup.exe
cannot verify that is has not been tampered with. If a mirror has a modified
bash package with a malicious binary in it, the result will be no different than
running an untrusted setup.exe.
In fact, the mirror list used by setup.exe does not contain the official
ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
More information about the Cygwin