From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 21738 invoked by alias); 12 Mar 2019 22:01:29 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 21726 invoked by uid 89); 12 Mar 2019 22:01:29 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=obtaining, HX-Received:538b, HX-Google-DKIM-Signature:FDF, H*r:a0c X-HELO: mail-qt1-f182.google.com Received: from mail-qt1-f182.google.com (HELO mail-qt1-f182.google.com) (209.85.160.182) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 22:01:27 +0000 Received: by mail-qt1-f182.google.com with SMTP id d16so4444898qtn.10 for ; Tue, 12 Mar 2019 15:01:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=uU+RUuTeKgt4NHVozsOlRAkK8qIgrayv5H9odU+85Xw=; b=a8D+zQ0MpfBomc2gFmWsIUVhsTx2jaR3uRRppYVDjQoAr15ozORIwlBQ7zeA49tlGi 8Y7lhBJJdiLLNHIbTksSaxfDOawSjS3ZL1dv5rpH2Pke/mT5SoEaOSz8KN/PEtWHBAhG 5PC8kOyh2tKt+j2jLk5cI+gZlv+EdQ+rFP9ZNukS+mSS6YaYRObrx8QfWXjMqTInUv18 /cZbP2T35f8JhtjQBZVWvC/3pFYZMYgA8cYoBF74ZFACfXF/O8yBTLEuOjsCZhUsnfge 41RfLJgX033qJycTprDLw3k4J7ZdlhGZkWsgCkDNsUUGtRxjFRkw9uh7+tSolgVUvmaa YToQ== MIME-Version: 1.0 Received: by 2002:a0c:98ed:0:0:0:0:0 with HTTP; Tue, 12 Mar 2019 15:01:25 -0700 (PDT) In-Reply-To: <3510142791.20190313003420@yandex.ru> References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <1406950005.20190312031618@yandex.ru> <1715197846.20190312233340@yandex.ru> <3510142791.20190313003420@yandex.ru> From: Lee Date: Tue, 12 Mar 2019 22:01:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00324.txt.bz2 On 3/12/19, Andrey Repin wrote: > Greetings, Lee! > >>>>> Which is way worse in my opinion, than any theoretical MITM attack, >>>>> which >>>>> is easily mitigated with proper validation of your downloads. >>> >>>> Serious question - exactly how does one do "proper validation of your >>>> downloads"? >>> >>> Use PGP signature to validate the installer. Use separate channel to >>> obtain >>> trust records for PGP key used in signing. > >> Yes, in the ideal world. But at least in my experience, most windows >> software doesn't come with a pgp signature & using a separate channel >> to get the pgp key isn't so easy. > > In my experience, this is a Cygwin mailing list and we're discussing issues > of obtaining and verifying the authenticity of setup.exe. But you made proper validation sound so easy and so general :) But ok, we'll limit it to just the cygwin setup.exe. What separate channel is available for finding the cygwin signing key? My recollection is that I gave up looking & used the link on the install page to get the public key. > P.S. > In regard to Cygwin mailing list, please teach your mail agent to not quote > raw email addresses. Sorry about that Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple