MD5s of setup.exe on mirrors.
Dave Korn
dave.korn@artimi.com
Mon May 14 20:09:00 GMT 2007
On 14 May 2007 20:23, Alexander Sotirov wrote:
> Even if I download setup.exe from cygwin.com, it still fetches the package
> data from a mirror. As far as I know the package data is not signed, so
> setup.exe cannot verify that is has not been tampered with. If a mirror has
> a modified bash package with a malicious binary in it, the result will be
> no different than running an untrusted setup.exe.
You're half-way there: you're completely right that the package data is not
signed, and therefore setup.exe cannot verify it has not been tampered with.
The missing part of the puzzle is to realise that the md5sums for the
packages are /not/ there for any kind of trust or authenticity. They are
*solely* there to provide robust checksums against download errors. All other
considerations are irrelevant.
cheers,
DaveK
--
Can't think of a witty .sigline today....
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list