Mirrors in GPL violation? + Re: MD5s of setup.exe on mirrors.

Markus E.L. ls-cygwin-2006@m-e-leypold.de
Mon May 14 23:23:00 GMT 2007

"Buchbinder,Barry(NIH/NIAID)[E]" writes:

<long explanation>

Barry, my and (AFAI understand) Alex' problem is not with using setup
- I for my part am quite comfortable with how I start setup. Alex (in
my humble opinion rightly) is concerned with questions of trust and
endorsement (like: cygwin.com lists the mirrors as source of the
software, then declines any responsibility for the actual content of
those mirrors down to "we cannot be bothered with working with the
mirror admins even if they (would) carry the wrong software with our
name on it" -- I wouldn't handle it like that, but YMMV). I now prefer
not to touch this subject, having already gotten flamed my ass off
this week (so I'm tending the blisters instead) but I think, Alex'
considerations (which have broader implications on "how do I, how does
anyone distribute software") are legitimate. Perhaps they can even
lead to a wishlist for the next generation of setup? Cryptographically
strong signed checksums are all the rage presently in package managers
and for a good reason: A malicious mirror or a careless mirror
administrator provide an excellent attack vector (this has already
happened in a number of related scenarios) and it would be a boon to
the users of cygwin not to have to trust the security or the
comptetence of some university run mirrors (no staff, no money)
instead of only the cygwin team.

My concern on the other side was only: "What the hell is md5.sum (on
the mirrors) then for, if it doesn't contain the right sums".

If I where the cygwin team, and felt so strongly about nobody ever
running setup.exe from the mirrors, I'd probably pull it from the
master sites (and consequently the mirrors) and replace it by a README
effectively telling the reader to get/run setup.exe from
cygwin.com. This would be in concordance with the fact that setup is
already organised as a seperate project.


Interesting enough, setup seems to be GPL (most of the sources carry a
GPL header), but the mirrors don't carry the source (since the source
is only on http://cygwin.com/setup). Do they violate the GPL then?
Pulling setup.exe from the mirrors' master site would fix that too.

> This thread has been going on for close to 3 days now.  

Is there a well known time limit on threads?

Regards -- Markus

Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list