Alexander Sotirov wrote: > Christopher Faylor wrote: >> That + if you want to talk about trust then you should trust the method >> that we advertise for installing cygwin which is to click on the >> "Install Cygwin Now!" link. > > Are you saying that I should trust setup.exe downloaded from cygwin.com more > than setup.exe downloaded from a mirror? That doesn't make sense. > > Even if I download setup.exe from cygwin.com, it still fetches the package > data > from a mirror. As far as I know the package data is not signed, so setup.exe > cannot verify that is has not been tampered with. If a mirror has a modified > bash package with a malicious binary in it, the result will be no different > than > running an untrusted setup.exe. > > In fact, the mirror list used by setup.exe does not contain the official > ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors.
Do you actually have a question or do you just want to speak your piece? Seems to me that you're asking questions but then not really paying attention to the answers, even when they come from a project leader. Perhaps you want to come at this again and clarify whether you're looking for information or just want to make a statement. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _____________________________________________________________________ A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
