This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: SSL not required for setup.exe download

From: Lee <ler762 at gmail dot com>
To: cygwin at cygwin dot com
Date: Tue, 12 Mar 2019 18:01:25 -0400
Subject: Re: SSL not required for setup.exe download
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w@mail.gmail.com> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA@mail.gmail.com> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q@mail.gmail.com> <1406950005.20190312031618@yandex.ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com> <1715197846.20190312233340@yandex.ru> <CAD8GWstmfqEomcMJ4zu75LLGyy236bkp3EN_CxMewMkJX+e5OQ@mail.gmail.com> <3510142791.20190313003420@yandex.ru>

On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
>>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>>> which
>>>>> is easily mitigated with proper validation of your downloads.
>>>
>>>> Serious question - exactly how does one do "proper validation of your
>>>> downloads"?
>>>
>>> Use PGP signature to validate the installer. Use separate channel to
>>> obtain
>>> trust records for PGP key used in signing.
>
>> Yes, in the ideal world.  But at least in my experience, most windows
>> software doesn't come with a pgp signature & using a separate channel
>> to get the pgp key isn't so easy.
>
> In my experience, this is a Cygwin mailing list and we're discussing issues
> of obtaining and verifying the authenticity of setup.exe.

But you made proper validation sound so easy and so general :)

But ok, we'll limit it to just the cygwin setup.exe.  What separate
channel is available for finding the cygwin signing key?  My
recollection is that I gave up looking & used the link on the install
page to get the public key.

> P.S.
> In regard to Cygwin mailing list, please teach your mail agent to not quote
> raw email addresses.

Sorry about that

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Brian Inglis
- Re: SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Brian Inglis
- Re: SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Brian Inglis
- Re: SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Andrey Repin
- Re: SSL not required for setup.exe download
  - From: Lee
- Re: SSL not required for setup.exe download
  - From: Andrey Repin
- Re: SSL not required for setup.exe download
  - From: Lee
- Re: SSL not required for setup.exe download
  - From: Andrey Repin

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]