From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 95021 invoked by alias); 12 Mar 2019 21:14:55 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 95011 invoked by uid 89); 12 Mar 2019 21:14:55 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=H*r:a0c, attack, proper X-HELO: mail-qt1-f181.google.com Received: from mail-qt1-f181.google.com (HELO mail-qt1-f181.google.com) (209.85.160.181) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 21:14:54 +0000 Received: by mail-qt1-f181.google.com with SMTP id b3so4362111qtj.3 for ; Tue, 12 Mar 2019 14:14:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=rDxla3SNrZeUlBaIsNlYSPBBKMA2IKuwiT69w/3PbU0=; b=IaTtbuMS6liqQvPntoJnF20sLYUxdJCoDjmeQdTrxq1uE9aMmr5CMWGza/JHplGltC 6YP4qC9285fKWIO7XKCiH1bKqeChisHRhwjvbie0a5B4pe0zn5iAcda3Ye0eEAQfmGbk 1du4jnlIm4617bvB7COPhCOfhb7kWaKs1rwb7aRb3vb5qiEKZNgFUb83lBS+zmGNC2zh j3cYrGRZXCpMJeDla73/gq4QlML8aLRbKWn9AbvwkD/+DWJlO0LGZ2w/vp/7ZXY5ySPh IzDapuMg7oeWWbhBnlt+xOlXCt3rFVZTIfkdVf9f4Oz8Q9UCZ4ElklNTFsSuNY8v+muu HC2w== MIME-Version: 1.0 Received: by 2002:a0c:98ed:0:0:0:0:0 with HTTP; Tue, 12 Mar 2019 14:14:51 -0700 (PDT) In-Reply-To: <1715197846.20190312233340@yandex.ru> References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <1406950005.20190312031618@yandex.ru> <1715197846.20190312233340@yandex.ru> From: Lee Date: Tue, 12 Mar 2019 21:14:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00317.txt.bz2 On 3/12/19, Andrey Repin wrote: > Greetings, Lee! > >>> Which is way worse in my opinion, than any theoretical MITM attack, >>> which >>> is easily mitigated with proper validation of your downloads. > >> Serious question - exactly how does one do "proper validation of your >> downloads"? > > Use PGP signature to validate the installer. Use separate channel to obtain > trust records for PGP key used in signing. Yes, in the ideal world. But at least in my experience, most windows software doesn't come with a pgp signature & using a separate channel to get the pgp key isn't so easy. Just out of curiosity.. has the cygwin public key been posted in multiple places or sent to the mailing list? Getting the exe, sig & key from https://cygwin.com/install.html seems not the best security. > And not blindly trust "supposedly-secure" connections. I don't. But I trust TLS connections a lot more than I trust clear-text connections. Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple