On Tue, Mar 16, 2010 at 3:25 AM, Steven Monai wrote: [snip] > IT departments are becoming increasingly security conscious. That's > probably why the OP had trouble downloading setup.exe. It wasn't because > his IT was "brain-dead", but because there are legitimate security > concerns about downloading an unsigned exe over a non-SSL-authenticated > channel.
Unfortunately, many IT departments follow the "We must do something. This is something. Therefore we must do this." action plan :/ Installing a webfilter falls into this category, IMO. > I suggest people inform themselves about the current state of art in > "man-in-the-middle" hijacking attacks, because the means by which > cygwin.com currently distributes setup.exe is vulnerable to a MITM > surreptitiously delivering a trojan setup.exe in place of the actual. > For this reason, I caution Cygwin users against downloading setup.exe > over unsafe networks (e.g. public wireless hotspots, hotel networks, etc.). Or the Internet, in general :) Perhaps the MD5 and/or SHA1 checksums for the current setup.exe should be published (and updated every time there's a new release) next to the download link (like Apache does, for example) -- Life is complex, with real and imaginary parts -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
