Should cygwin's setup*.exe be signed using Sign Tool?
Corinna Vinschen
corinna-cygwin@cygwin.com
Fri Apr 3 11:37:00 GMT 2015
On Apr 2 23:27, David A. Wheeler wrote:
> On Thu, 2 Apr 2015 21:23:16 -0400, Bryan Berns <bryan.berns@gmail.com> wrote:
> > Since the setup executable is responsible for running a whole bunch of
> > community contributed post-install executables as part of the
> > installation process, I'm not sure whether it'd be advisable to stamp
> > a particular individual's name or company's name on the executive
> > installer (e.g. Red Hat, for example).
>
> I would expect the publisher to be "The Cygwin Project".
> That's what the website says, after all!
>
> In my mind, the point of the signature would be to assure that you have the correct
> (untainted) installer, and that the other software installed was the one from Cygwin.
> As far as community install issue goes, the same this is true for Fedora, Debian, etc.,
> and that seems to be reasonably understood.
We're not going to change anything. From my POV there's no good reason
to use Windows tools, especially given that the entire infrastructure is
running on an RHEL box. So we're using the key on sourceware.org with
the GPG tool running under Linux on sourceware.org.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150403/ec29fdf1/attachment.sig>
More information about the Cygwin
mailing list