"LarryHall(Cygwin)" writes: > Alexander Sotirov wrote: >> Christopher Faylor wrote: >>> That + if you want to talk about trust then you should trust the method >>> that we advertise for installing cygwin which is to click on the >>> "Install Cygwin Now!" link. >> >> Are you saying that I should trust setup.exe downloaded from cygwin.com more >> than setup.exe downloaded from a mirror? That doesn't make sense. >> >> Even if I download setup.exe from cygwin.com, it still fetches the package >> data >> from a mirror. As far as I know the package data is not signed, so setup.exe >> cannot verify that is has not been tampered with. If a mirror has a modified >> bash package with a malicious binary in it, the result will be no different >> than >> running an untrusted setup.exe. >> >> In fact, the mirror list used by setup.exe does not contain the official >> ftp.cygwin.com site, giving users no choice but to use (and trust) mirrors. > > Do you actually have a question or do you just want to speak your piece?
He probably forgot that the list is for questions only. > Seems to me that you're asking questions but then not really paying > attention to the answers, even when they come from a project leader. > Perhaps you want to come at this again and clarify whether you're looking > for information or just want to make a statement. <Shaking my head>. Regards -- Markus -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
