www.delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2008/08/16/08:41:44

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
From: "Dave Korn" <dave DOT korn AT artimi DOT com>
To: <cygwin AT cygwin DOT com>
References: <19000930 DOT post AT talk DOT nabble DOT com> <00ad01c8feef$bb70a660$9601a8c0 AT CAM DOT ARTIMI DOT COM> <31DDB7BE4BF41D4888D41709C476B6570929B30B AT NIHCESMLBX5 DOT nih DOT gov>
Subject: RE: Im having a problem downloading version 1.5.25-15 having something to do with setup.ini.sig
Date: Sat, 16 Aug 2008 13:40:45 +0100
Message-ID: <010401c8ff9d$504a3cd0$9601a8c0@CAM.ARTIMI.COM>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <31DDB7BE4BF41D4888D41709C476B6570929B30B@NIHCESMLBX5.nih.gov>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com 

Buchbinder, Barry (NIH/NIAID) wrote on 15 August 2008 22:24:

> It would seem that when setup encounters the error that Garret
> encountered, it should ask whether to continue anyway (i.e., invoke -X)
> or abort.  If nothing else, it will avoid some of emails to the list
> that repeats Garret's report.

  I don't like that idea.  The single biggest flaw in PKI is the fact that
people just regard requesters as an annoyance, don't read them, and just
want to click right through.  If you're going to have an "ignore security"
button, security will be ignored every time; you might as well just not
bother checking the signature in the first place.  I very much want to make
it *difficult* for the user to disable their safety protection.  I seriously
considered not even offering a choice at all.

> It would also seem that a checkbox that invokes the -X functionality
> would offer flexibility to people who know in advance that there is no
> sig but do not remember the option don't need to use -X often enough to
> have a shortcut, etc.

  I guess what I really want to do is add some form of key management, so
that external package repository owners can start signing their setup.inis
and distribute keys to their users.  (This can currently be done via the
commandline, but it's not very friendly, sorry.  But if you use use -K or -S
to give it a key once, it gets cached, and can be reused every time by
adding -U; maybe that should be the default.  Or maybe I should add an
option to look up keys from the user's gpg keyring where present, and
piggyback off gpg's key management functions.  That might work quite well,
we'd get to use the keyservers, trust-signing and revocation
infrastructure).
 
> Related #1:  -X (and -K, -S, -u, and -U?) might be added to FAQ entry
> on setup command-line usage:
> http://cygwin.com/faq/faq-nochunks.html#faq.setup.cli.  A link to
> http://www.cygwin.com/ml/cygwin-announce/2008-08/msg00001.html might be
> appropriate.
> 
> Related #2:  It would be useful to update the setup command-line usage
> link on http://sourceware.org/cygwin-apps/setup.htm to perhaps point to
> the FAQ entry.

  Thanks for the reminder; I haven't had a chance to update the docs yet,
but I'll get on it.
 
> And thanks for all the work that's gone into setup.

  :)

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019