MD5s of setup.exe on mirrors.

Markus E.L.
Mon May 14 20:15:00 GMT 2007

"LarryHall(Cygwin)" writes:

> Alexander Sotirov wrote:
>> Christopher Faylor wrote:
>>> That + if you want to talk about trust then you should trust the method
>>> that we advertise for installing cygwin which is to click on the
>>> "Install Cygwin Now!" link.
>> Are you saying that I should trust setup.exe downloaded from more
>> than setup.exe downloaded from a mirror? That doesn't make sense.
>> Even if I download setup.exe from, it still fetches the package data
>> from a mirror. As far as I know the package data is not signed, so setup.exe
>> cannot verify that is has not been tampered with. If a mirror has a modified
>> bash package with a malicious binary in it, the result will be no different than
>> running an untrusted setup.exe.
>> In fact, the mirror list used by setup.exe does not contain the official
>> site, giving users no choice but to use (and trust) mirrors.
> Do you actually have a question or do you just want to speak your piece?

He probably forgot that the list is for questions only.

> Seems to me that you're asking questions but then not really paying
> attention to the answers, even when they come from a project leader.
> Perhaps you want to come at this again and clarify whether you're looking
> for information or just want to make a statement.

<Shaking my head>. 

Regards -- Markus

Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list