This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Cygwin's installation and security models?
- From: <lloyd dot wood at yahoo dot co dot uk>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Wed, 17 Aug 2016 10:24:58 +0000 (UTC)
- Subject: Re: Cygwin's installation and security models?
- Authentication-results: sourceware.org; auth=none
- References: <1740128398.25713364.1471398599819.JavaMail.yahoo.ref@mail.yahoo.com> <1740128398.25713364.1471398599819.JavaMail.yahoo@mail.yahoo.com>
- Reply-to: <lloyd dot wood at yahoo dot co dot uk>
Specifically, when I launch Cygwin's setup.exe, I am warned:
"Do you want to allow this app from an unknown publisher to
make changes to your system?"
That code could be anything. I think that means that
if your website gets hacked, and the setup binaries
get replaced, everyone is in trouble. Compare with the
recent Classic Shell hack where not having a signed
installer was, at least, a warning.
http://www.bleepingcomputer.com/news/security/audacity-and-classic-shell-download-server-hacked-by-pegglecrew-/
I'd expect the app to be signed and generate a UAC
prompt saying it was signed by Redhat or similar.
Lloyd Wood lloyd.wood@yahoo.co.uk http://savi.sf.net/
----- Original Message -----
From: "lloyd.wood@yahoo.co.uk" <lloyd.wood@yahoo.co.uk>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Sent: Wednesday, 17 August 2016, 11:49
Subject: Cygwin's installation and security models?
I'd like to understand Cygwin's installation and
security models better:
- Cygwin's installers aren't signed.
- downloads are from a number of untrusted mirrors
via http/ftp, and packages aren't verified.
Is this correct?
thanks
Lloyd Wood lloyd.wood@yahoo.co.uk http://savi.sf.net/
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple