Mirrors in GPL violation? + Re: MD5s of setup.exe on mirrors.

Dave Korn dave.korn@artimi.com
Tue May 15 00:29:00 GMT 2007

On 15 May 2007 00:24, Markus E.L. wrote:

> is concerned with questions of trust and
> endorsement 

  That's the underlying source of your error right there: a false assumption.

> (like: cygwin.com lists the mirrors as source of the
> software, then declines any responsibility for the actual content of
> those mirrors 

  Yep.  Welcome to the internet; google 'autonomous system' to find out more.

> down to "we cannot be bothered with working with the
> mirror admins even if they (would) carry the wrong software with our
> name on it"

  Mirrors get automatically tested and delisted if they aren't up-to-date.
Apparently only non-trivial discrepancies matter.

>  -- I wouldn't handle it like that, but YMMV

  Which is precisely why you're wasting time here.

> I now prefer
> not to touch this subject, having already gotten flamed my ass off
> this week (so I'm tending the blisters instead) but I think, Alex'
> considerations 

  You are conflating two entirely different issues here.  There is absolutely
no connection between "what copyrights do I have to observe if I want to
distribute something" and "some mirrors aren't up-to-date".

> Perhaps they can even
> lead to a wishlist for the next generation of setup? 

  Yes, that's a reasonable discussion, particularly if you're volunteering to
do the work yourself.  Much less so if you aren't.  However, if you do want to
help create such a scheme, patches and discussions about setup.exe should be
sent to the -apps list.

> Cryptographically
> strong signed checksums are all the rage 

  That isn't exactly a technical argument, is it?

> My concern on the other side was only: "What the hell is md5.sum (on
> the mirrors) then for, if it doesn't contain the right sums".

  As I explained: transmission checksum.  Not security, not authentication,
nothing else at all.  Your mistake and your fault if you think that it's
something it's not, just because the md5 algorithm is involved.  See AC2 for
more details on the differences between authentification and identification.
> If I where the cygwin team

  And if my aunt had balls, she'd be my uncle.  But she doesn't, and she
isn't, and any attempt to reason from contrafactuals is broken before it even
gets off the ground.

  Plus, TINCT.

> and felt so strongly 

  And if you were part of the "cygwin team" and /didn't/ feel so strongly?

> about nobody ever
> running setup.exe from the mirrors, I'd probably pull it from the
> master sites 

  Nobody has ever cared before you and nobody is ever likely to care again,
but you've gotten that done just to shut this everlasting thread down.

> and consequently the mirrors) and replace it by a README
> effectively telling the reader to get/run setup.exe from
> cygwin.com. This would be in concordance with the fact that setup is
> already organised as a seperate project.
>   http://cygwin.com/setup/

  You imagine structure, organisation and management where there is none.  It
is neither separate, nor the same, nor a "project".

> Interesting enough, setup seems to be GPL (most of the sources carry a
> GPL header), but the mirrors don't carry the source (since the source
> is only on http://cygwin.com/setup). Do they violate the GPL then?

  The copyright owner is at liberty to not give a damn.

> Is there a well known time limit on threads?

  Yep.  Everyone knows that when something gets pointless, boring, and
unproductively repetitious, the limit has already been reached.

  That's just real life, not computers.

Can't think of a witty .sigline today....

Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list