This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: SSL not required for setup.exe download
On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
>>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>>> which
>>>>> is easily mitigated with proper validation of your downloads.
>>>
>>>> Serious question - exactly how does one do "proper validation of your
>>>> downloads"?
>>>
>>> Use PGP signature to validate the installer. Use separate channel to
>>> obtain
>>> trust records for PGP key used in signing.
>
>> Yes, in the ideal world. But at least in my experience, most windows
>> software doesn't come with a pgp signature & using a separate channel
>> to get the pgp key isn't so easy.
>
> In my experience, this is a Cygwin mailing list and we're discussing issues
> of obtaining and verifying the authenticity of setup.exe.
But you made proper validation sound so easy and so general :)
But ok, we'll limit it to just the cygwin setup.exe. What separate
channel is available for finding the cygwin signing key? My
recollection is that I gave up looking & used the link on the install
page to get the public key.
> P.S.
> In regard to Cygwin mailing list, please teach your mail agent to not quote
> raw email addresses.
Sorry about that
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple