From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 106884 invoked by alias); 26 Apr 2019 16:28:26 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 106868 invoked by uid 89); 26 Apr 2019 16:28:26 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=zip, HX-Languages-Length:1196, compression, sk:bootstr X-HELO: mail-wm1-f42.google.com Received: from mail-wm1-f42.google.com (HELO mail-wm1-f42.google.com) (209.85.128.42) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 26 Apr 2019 16:28:24 +0000 Received: by mail-wm1-f42.google.com with SMTP id o25so4509226wmf.5 for ; Fri, 26 Apr 2019 09:28:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=8xyzfR0qI1NzJiR41rXYeu0zjl+SISguGGpDDhq6siQ=; b=oTwhKeNpyrFlqwrkjzf0LnyESYiCoM1MYtl994OctXm6GQfZNmOXFo70FiSAmQf/ct er1JtM9ePJvO6zjG2kyiFriK+tKq4AT13lbXs9h1Bh4M7p2wgbPa5vBQi+sjj3TrPFFz sZofVmRgyApZs3mGeLY29mjwDd6b9Dve/K707h+pYilCzIoLa3zhbfy2itX+Qjktz6He oiCpLLEMKnvQn4o51dRqqjaG1oweChfaBc4n95ZK99gffjWtCn7bvHsQr8hbB6gL2wKO MjXC8zAOGeASh+xak4kzHVoPYJIsj+e6O0R1VduzkkNq+N2JIj+GslCZqq2EDlBQPl0G 8fJg== MIME-Version: 1.0 From: Joel Rees Date: Fri, 26 Apr 2019 16:28:00 -0000 Message-ID: Subject: How to trust setup.exe? To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-04/txt/msg00194.txt.bz2 When bootstrapping a chain of trust, having multiple sources for the checksum values is significantly better than starting blind. I'm writing a blogpost on the use of multiple sources, using cygwin as an example, but the announcements for the updates of setup_xx.exe do not include the checksums. And the mirrors don't seem to keep setup_xx.exe. And the mirrors are all using .bz and .xz compression, which many MSWindowsboxes are not able to open without 3rd party help, which is a vicious cycle. The blogpost: https://joels-programming-fun.blogspot.com/2019/04/bootstrapping-your-freedom-cygwin-gpg.html Would it be impossible to ask someone in the project to put the checksums in the announcements for setup? And what about putting a regular zip compressed setup on the mirrors, so we can run certutil to check the checksum of the setup we run when we grab our first download, then grab gpg with a somewhat trusted system to use when checking the next version of setup that we download? It would not be a perfect chain, but without that we have nothing but broken links and reverse implications -- Joel Rees http://reiisi.blogspot.jp/p/novels-i-am-writing.html -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple