* setting up private mirror
@ 2015-09-02 21:29 Chris Louden
2015-09-03 1:50 ` Andrey Repin
2015-09-03 14:51 ` Achim Gratz
0 siblings, 2 replies; 4+ messages in thread
From: Chris Louden @ 2015-09-02 21:29 UTC (permalink / raw)
To: cygwin
Hello,
I'm currently searching the mailing list archive as well as google but
I thought I would ask out right aw well.. I'm looking to implement a
private Cygwin mirror. The process seem fairly straight forward
setting up an apache instance and rsycing twice a day. However our
NetSec folks have asked is there is any way I can sync the local repo
via an authenticated or encrypted method. I guess to rule out a man in
the middle scenario. If anyone has done anything similar I would
appreciate the feedback.
-Chris
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: setting up private mirror
2015-09-02 21:29 setting up private mirror Chris Louden
@ 2015-09-03 1:50 ` Andrey Repin
2015-09-03 14:31 ` Chris Louden
2015-09-03 14:51 ` Achim Gratz
1 sibling, 1 reply; 4+ messages in thread
From: Andrey Repin @ 2015-09-03 1:50 UTC (permalink / raw)
To: Chris Louden, cygwin
Greetings, Chris Louden!
> I'm currently searching the mailing list archive as well as google but
> I thought I would ask out right aw well.. I'm looking to implement a
> private Cygwin mirror. The process seem fairly straight forward
> setting up an apache instance and rsycing twice a day. However our
> NetSec folks have asked is there is any way I can sync the local repo
> via an authenticated or encrypted method. I guess to rule out a man in
> the middle scenario. If anyone has done anything similar I would
> appreciate the feedback.
Probably.
You could get setup.ini from some secure source and check hashes of the
packages after sync.
I didn't check if there's any available, but supposedly there should be at
least one.
--
With best regards,
Andrey Repin
Thursday, September 3, 2015 04:45:27
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: setting up private mirror
2015-09-03 1:50 ` Andrey Repin
@ 2015-09-03 14:31 ` Chris Louden
0 siblings, 0 replies; 4+ messages in thread
From: Chris Louden @ 2015-09-03 14:31 UTC (permalink / raw)
To: cygwin
Thats pretty much what my NetSec came back with this morning. However
I can't check it against another mirror. I need to be able to get the
hashes directly from Cygwin. What is the url for the main repo? Where
do all the formal mirrors rsync from?
-Chris
On Wed, Sep 2, 2015 at 7:47 PM, Andrey Repin <anrdaemon@yandex.ru> wrote:
> Greetings, Chris Louden!
>
>> I'm currently searching the mailing list archive as well as google but
>> I thought I would ask out right aw well.. I'm looking to implement a
>> private Cygwin mirror. The process seem fairly straight forward
>> setting up an apache instance and rsycing twice a day. However our
>> NetSec folks have asked is there is any way I can sync the local repo
>> via an authenticated or encrypted method. I guess to rule out a man in
>> the middle scenario. If anyone has done anything similar I would
>> appreciate the feedback.
>
> Probably.
> You could get setup.ini from some secure source and check hashes of the
> packages after sync.
> I didn't check if there's any available, but supposedly there should be at
> least one.
>
>
> --
> With best regards,
> Andrey Repin
> Thursday, September 3, 2015 04:45:27
>
> Sorry for my terrible english...
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: setting up private mirror
2015-09-02 21:29 setting up private mirror Chris Louden
2015-09-03 1:50 ` Andrey Repin
@ 2015-09-03 14:51 ` Achim Gratz
1 sibling, 0 replies; 4+ messages in thread
From: Achim Gratz @ 2015-09-03 14:51 UTC (permalink / raw)
To: cygwin
Chris Louden <chris.louden <at> gmail.com> writes:
> The process seem fairly straight forward
> setting up an apache instance and rsycing twice a day. However our
> NetSec folks have asked is there is any way I can sync the local repo
> via an authenticated or encrypted method. I guess to rule out a man in
> the middle scenario.
You probably want to read
https://cygwin.com/faq/faq.html#faq.setup.install-security
I suppose. Cygwin installation can't be tampered with unless you override
the signature check. It doesn't matter how or where you are syncing your
local mirror from, setup.exe is going to check the gpg signature on the
setup.ini file it reads and it won't install any package that has a
different SHA512 checksum than what's noted (and been signed) in setup.ini.
If you want to do a check after mirroring, you'd need to roll your own
signature checking and setup.ini parsing.
Regards,
Achim.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-03 14:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-02 21:29 setting up private mirror Chris Louden
2015-09-03 1:50 ` Andrey Repin
2015-09-03 14:31 ` Chris Louden
2015-09-03 14:51 ` Achim Gratz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).