MD5s of setup.exe on mirrors.

Buchbinder, Barry (NIH/NIAID) [E]
Mon May 14 21:03:00 GMT 2007

Alexander Sotirov wrote on Monday, May 14, 2007 3:23 PM:
> Christopher Faylor wrote:
>> That + if you want to talk about trust then you should trust the
>> method that we advertise for installing cygwin which is to click on
>> the "Install Cygwin Now!" link.
> Are you saying that I should trust setup.exe downloaded from
> more than setup.exe downloaded from a mirror? That doesn't
> make sense.
> Even if I download setup.exe from, it still fetches the
> package data from a mirror. As far as I know the package data is not
> signed, so setup.exe cannot verify that is has not been tampered
> with. If a mirror has a modified bash package with a malicious binary
> in it, the result will be no different than running an untrusted
> setup.exe.
> In fact, the mirror list used by setup.exe does not contain the
> official site, giving users no choice but to use (and
> trust) mirrors.
> Alex

Alex and Markus,

This thread has been going on for close to 3 days now.  I respectfully
suggest that you have spent far more time on these emails than you would
have by just using setup as documented
<>.  Indeed, if you had
used setup as documented, you would not have noticed anything.  (Ditto
for the time to look up the mirrors, downloading setup from the mirrors,
and then run the checksums.)  Also, I would guess that undocumented
methods of getting setup.exe (e.g., pulling it off a mirror) are
probably not supported by this list and might therefore be considered to
be off topic.

I understand that you are perturbed that setup does not behave as you
might have expected.  However, having used cygwin and followed this
mailing list since well before setup was introduced (one downloaded a
single zip file in those days), I can tell you that you are not the
first person to question this or that aspect of setup.  Let it suffice
for me to say that the people who designed and programmed setup actually
use it.  They are well aware of any problems and limitations that
setup.exe might have.  They put a lot of thought into its design and a
lot of work into its coding.  I would suggest that if they made
decisions differently than you might have, you should consider giving
them the benefit of the doubt and assume that they had good reasons for
things to be arranged as they are.  Otherwise, PTC.

This reminds me of a conversation I heard over the weekend.  A man
showed a physician (a professor at Johns Hopkins Medical School) a nasty
rash that he had.  She told him that it might be caused by an infectious
agent and that he should see his doctor ASAP and possibly get
antibiotics.  He started arguing with her about the sensibility of her
diagnosis and advice.  When I realized the absurdity of the situation, I
could not refrain from interjecting "Why are you arguing with her!?!"
He responded that he was a lawyer and tended to argue with everyone.

If one is really disturbed by these issues, one might look into ways
other than cygwin to get POSIX onto a Windows machine.

For the record, here's what I do.

  - I download setup.exe to a local disk from "Install Cygwin Now"
  - I run setup.exe from this downloaded copy.
  - When I run setup.exe, it tells me if setup.ini was generated for use
in a setup version newer than the one that I am running.
  - When so informed, I cancel the run, re-download setup.exe, and start
my setup.exe run over.

The advantage of this is that one need not download setup each time,
thereby saving a bit of bandwidth.

FYI: Setup functionality is described here:

- Barry
  -  Disclaimer: Statements made herein are not made on behalf of NIAID.

Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list