Mail Archives: cygwin/2016/08/17/00:18:14

www.delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2016/08/17/00:18:14

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:references:to:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=LYPjbDXyCHYuNI+a

UXgIGQtpEyn8mzrGn8dASvW+oX5j9h0ClCUFv8Mptau61PpuWoDmvVnvl/ISWUoH

cJl2F/Xl2aRt/8HY98cKRlc5tkY5MquXIU8B+kPGSZ/KdeMS36odSOJJj60WFpXv

SzV8s2FHtkxIfV0wIth/Z7bcYAk=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:references:to:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=DWHU99+0PX5OeawE0Po5hJ

CpK/Q=; b=ecV3sEYNpXiMZV8FZ0/yb44H083OX9gaJZs+7mifZ06SavtZRIVEq3

BpY6SGYdxT2S2WNkKuvtMFlQwN9eBoK4A1R20VoJnB3GLhYrMCfnmLZvBSvs7MLB

hAwSvk3VXJJjbybrIcC1uTSlzKCcoiebV6rLVJjFOxEdmEfjYvOHE=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=0.9 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=calgary, H*r:sk:smtp-ou, Brian, Hx-languages-length:834

X-HELO: smtp-out-so.shaw.ca

X-Authority-Analysis: v=2.2 cv=T/3OdLCQ c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=BrDiTsk0AAAA:8 a=w5aJ8kaLLAry8Qfnm_kA:9 a=lxE3RMdgE7R84xUG:21 a=PLg3o-Fst-YGEHXA:21 a=fK1jZSgjKPFatbRoI9mg:22

Reply-To: cygwin AT cygwin DOT com

Subject: Re: Cygwin's installation and security models?

References: <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com> <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com>

To: cygwin AT cygwin DOT com

From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>

Message-ID: <db827cf0-8b99-408a-dea9-7ee9d4bcddc7@SystematicSw.ab.ca>

Date: Tue, 16 Aug 2016 22:17:51 -0600

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

MIME-Version: 1.0

In-Reply-To: <1740128398.25713364.1471398599819.JavaMail.yahoo@mail.yahoo.com>

X-CMAE-Envelope: MS4wfBv8wnJdXMJwPCyly8uebXI8ITok8F7axCPskjJNjEufGXk7LFbeRdJwa1pOLJ9EHCpfRGJPV5H8R7XGYj1u+xOM0j46rZRodvP5NsCtITiO7WP8HSbq ZyZBI9Spb21OD7YOkt17lf+d+tRPw2U+YBT2K9PQVaOUIau5ziLwRMMt8H5c6uzXKI/EERiHO4nXKA==

X-IsSubscribed: yes

On 2016-08-16 19:49, lloyd DOT wood AT yahoo DOT co DOT uk wrote:
> I'd like to understand Cygwin's installation and
> security models better:
> - Cygwin's installers aren't signed.
> - downloads are from a number of untrusted mirrors
>   via http/ftp, and packages aren't verified.
> Is this correct?

Nope!
The installer is downloaded from a TLS enabled web site.
The installer manifest contains a public key, so the build
or at least the manifest is signed with a private key.
There are detached GPG signatures for the installer programs
setup_x86{,_64}.exe and setup.ini data files, verified by the
installer.
The setup.ini installer data files contain message digests
for each of the installable packages, verified by the
installer.
HTH
-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=LYPjbDXyCHYuNI+a
	UXgIGQtpEyn8mzrGn8dASvW+oX5j9h0ClCUFv8Mptau61PpuWoDmvVnvl/ISWUoH
	cJl2F/Xl2aRt/8HY98cKRlc5tkY5MquXIU8B+kPGSZ/KdeMS36odSOJJj60WFpXv
	SzV8s2FHtkxIfV0wIth/Z7bcYAk=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=DWHU99+0PX5OeawE0Po5hJ
	CpK/Q=; b=ecV3sEYNpXiMZV8FZ0/yb44H083OX9gaJZs+7mifZ06SavtZRIVEq3
	BpY6SGYdxT2S2WNkKuvtMFlQwN9eBoK4A1R20VoJnB3GLhYrMCfnmLZvBSvs7MLB
	hAwSvk3VXJJjbybrIcC1uTSlzKCcoiebV6rLVJjFOxEdmEfjYvOHE=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=0.9 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=calgary, H*r:sk:smtp-ou, Brian, Hx-languages-length:834
X-HELO:	smtp-out-so.shaw.ca
X-Authority-Analysis:	v=2.2 cv=T/3OdLCQ c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=BrDiTsk0AAAA:8 a=w5aJ8kaLLAry8Qfnm_kA:9 a=lxE3RMdgE7R84xUG:21 a=PLg3o-Fst-YGEHXA:21 a=fK1jZSgjKPFatbRoI9mg:22
Reply-To:	cygwin AT cygwin DOT com
Subject:	Re: Cygwin's installation and security models?
References:	<1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com> <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com>
To:	cygwin AT cygwin DOT com
From:	Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Message-ID:	<db827cf0-8b99-408a-dea9-7ee9d4bcddc7@SystematicSw.ab.ca>
Date:	Tue, 16 Aug 2016 22:17:51 -0600
User-Agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version:	1.0
In-Reply-To:	<1740128398.25713364.1471398599819.JavaMail.yahoo@mail.yahoo.com>
X-CMAE-Envelope:	MS4wfBv8wnJdXMJwPCyly8uebXI8ITok8F7axCPskjJNjEufGXk7LFbeRdJwa1pOLJ9EHCpfRGJPV5H8R7XGYj1u+xOM0j46rZRodvP5NsCtITiO7WP8HSbq ZyZBI9Spb21OD7YOkt17lf+d+tRPw2U+YBT2K9PQVaOUIau5ziLwRMMt8H5c6uzXKI/EERiHO4nXKA==
X-IsSubscribed:	yes