SSL not required for setup.exe download

Andrey Repin
Tue Mar 12 20:35:00 GMT 2019

Greetings, Lee!

>> Which is way worse in my opinion, than any theoretical MITM attack, which
>> is easily mitigated with proper validation of your downloads.

> Serious question - exactly how does one do "proper validation of your
> downloads"?

Use PGP signature to validate the installer. Use separate channel to obtain
trust records for PGP key used in signing.

And not blindly trust "supposedly-secure" connections.

With best regards,
Andrey Repin
Tuesday, March 12, 2019 23:31:45

Sorry for my terrible english...

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list