MD5s of setup.exe on mirrors.

Alexander Sotirov
Mon May 14 19:50:00 GMT 2007

Christopher Faylor wrote:
> That + if you want to talk about trust then you should trust the method
> that we advertise for installing cygwin which is to click on the
> "Install Cygwin Now!" link.

Are you saying that I should trust setup.exe downloaded from more
than setup.exe downloaded from a mirror? That doesn't make sense.

Even if I download setup.exe from, it still fetches the package data
from a mirror. As far as I know the package data is not signed, so setup.exe
cannot verify that is has not been tampered with. If a mirror has a modified
bash package with a malicious binary in it, the result will be no different than
running an untrusted setup.exe.

In fact, the mirror list used by setup.exe does not contain the official site, giving users no choice but to use (and trust) mirrors.


Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list