From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 108185 invoked by alias); 12 Mar 2019 21:35:06 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 108131 invoked by uid 89); 12 Mar 2019 21:35:06 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=obtaining, UD:ru, HX-Languages-Length:978, terrible X-HELO: forward100p.mail.yandex.net Received: from forward100p.mail.yandex.net (HELO forward100p.mail.yandex.net) (77.88.28.100) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 21:35:05 +0000 Received: from mxback6j.mail.yandex.net (mxback6j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10f]) by forward100p.mail.yandex.net (Yandex) with ESMTP id 58BFA5981124; Wed, 13 Mar 2019 00:35:02 +0300 (MSK) Received: from smtp4p.mail.yandex.net (smtp4p.mail.yandex.net [2a02:6b8:0:1402::15:6]) by mxback6j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id XAWDXrECOg-Z1YGUpZx; Wed, 13 Mar 2019 00:35:01 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552426501; bh=onWb5JBjXqK257DI0eqID+uq8LnK9bTexrRgOJJ+yR4=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=heq/HngvDQPjHTn19ApEhkVTVnrA9Gn56oleg9XYZ0sDocZmcvkqENRy55a7c1Uts YA7IxloiZYNbfqeDbN93E+Ep2RRjbi+heyHATADFseUeHl2D75wv/lhIfQscVUlYmT oggvIvrlBdvdN98y5GUF57mY4xEa4QLJDi6s4Q+A= Authentication-Results: mxback6j.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by smtp4p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 7Mo7tWlrTz-Z1L0Zoae; Wed, 13 Mar 2019 00:35:01 +0300 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client certificate not present) Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Tue, 12 Mar 2019 21:34:21 -0000 Date: Tue, 12 Mar 2019 21:35:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <3510142791.20190313003420@yandex.ru> To: Lee , cygwin@cygwin.com Subject: Re: SSL not required for setup.exe download In-Reply-To: References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <1406950005.20190312031618@yandex.ru> <1715197846.20190312233340@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00321.txt.bz2 Greetings, Lee! >> Greetings, Lee! >> >>>> Which is way worse in my opinion, than any theoretical MITM attack, >>>> which >>>> is easily mitigated with proper validation of your downloads. >> >>> Serious question - exactly how does one do "proper validation of your >>> downloads"? >> >> Use PGP signature to validate the installer. Use separate channel to obtain >> trust records for PGP key used in signing. > Yes, in the ideal world. But at least in my experience, most windows > software doesn't come with a pgp signature & using a separate channel > to get the pgp key isn't so easy. In my experience, this is a Cygwin mailing list and we're discussing issues of obtaining and verifying the authenticity of setup.exe. P.S. In regard to Cygwin mailing list, please teach your mail agent to not quote raw email addresses. -- With best regards, Andrey Repin Wednesday, March 13, 2019 0:32:21 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple