On Mon, May 14, 2007 at 03:50:16PM -0400, Larry Hall (Cygwin) wrote: >Alexander Sotirov wrote: >> Christopher Faylor wrote: >>>That + if you want to talk about trust then you should trust the method >>>that we advertise for installing cygwin which is to click on the >>>"Install Cygwin Now!" link. >> >>Are you saying that I should trust setup.exe downloaded from cygwin.com >>more than setup.exe downloaded from a mirror? That doesn't make sense. >> >>Even if I download setup.exe from cygwin.com, it still fetches the >>package data from a mirror. As far as I know the package data is not >>signed, so setup.exe cannot verify that is has not been tampered with. >>If a mirror has a modified bash package with a malicious binary in it, >>the result will be no different than running an untrusted setup.exe. >> >>In fact, the mirror list used by setup.exe does not contain the >>official ftp.cygwin.com site, giving users no choice but to use (and >>trust) mirrors. > >Do you actually have a question or do you just want to speak your >piece? Seems to me that you're asking questions but then not really >paying attention to the answers, even when they come from a project >leader. Perhaps you want to come at this again and clarify whether >you're looking for information or just want to make a statement.
No, please. Can't we just drop this? This is obviously just one of those pointless cyclic usenet discussions which doesn't go anywhere. cgf -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
