On Fri, May 11, 2007 at 02:42:33PM -0700, Alexander Sotirov wrote: >Christopher Faylor wrote: >>>Nobody seemed to care. Considering the fact that MD5 collisions are >>>now trivial to generate, it probably doesn't matter much anyways - the >>>fact that your copy of setup.exe has the right MD5 doesn't mean that it >>>hasn't been tampered with. >> >>We don't control the content of mirrors. >> >>If you think this is an issue, contact the mirror(s) in question. > >This is an issue with the Cygwin website, not the mirrors.
That is your opinion. >There is a chain of trust from http://cygwin.com to the mirrors. Since >the official Cygwin site list these mirrors at >http://cygwin.com/mirrors.html, you're endorsing them as an officially >approved locations to download Cygwin. This means that you have to >monitor reports about misbehaving mirrors and remove ones that >distribute corrupted or possibly malicious binaries under the Cygwin >name. If/when we find a mirror distributing a malicious binary we will remove it. However, in the meantime, I would suggest that people only use the setup.exe that is distributed from cygwin.com, i.e., click on the "Install Cygwin Now" link. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
