How to trust setup.exe?

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: Joel Rees <joel.rees@gmail.com>
To: cygwin@cygwin.com
Subject: How to trust setup.exe?
Date: Fri, 26 Apr 2019 16:28:00 -0000	[thread overview]
Message-ID: <CAAr43iMirXR-r=Jmy1S0za8Pz-yS-beOGouydkrScHKETEmiZg@mail.gmail.com> (raw)

When bootstrapping a chain of trust, having multiple sources for the
checksum values is significantly better than starting blind.

I'm writing a blogpost on the use of multiple sources, using cygwin as
an example, but the announcements for the updates of setup_xx.exe do
not include the checksums. And the mirrors don't seem to keep
setup_xx.exe. And the mirrors are all using .bz and .xz compression,
which many MSWindowsboxes are not able to open without 3rd party help,
which is a vicious cycle.

The blogpost:
https://joels-programming-fun.blogspot.com/2019/04/bootstrapping-your-freedom-cygwin-gpg.html

Would it be impossible to ask someone in the project to put the
checksums in the announcements for setup?

And what about putting a regular zip compressed setup on the mirrors,
so we can run certutil to check the checksum of the setup we run when
we grab our first download, then grab gpg with a somewhat trusted
system to use when checking the next version of setup that we
download?

It would not be a perfect chain, but without that we have nothing but
broken links and reverse implications

-- 
Joel Rees

http://reiisi.blogspot.jp/p/novels-i-am-writing.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

next             reply	other threads:[~2019-04-26 16:28 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-26 16:28 Joel Rees [this message]
2019-04-27  9:42 ` Achim Gratz
2019-04-29  1:01   ` Joel Rees

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAr43iMirXR-r=Jmy1S0za8Pz-yS-beOGouydkrScHKETEmiZg@mail.gmail.com' \
    --to=joel.rees@gmail.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).