Mail Archives: cygwin/2016/08/17/14:35:34

www.delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2016/08/17/14:35:34

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; q=dns; s=default; b=uytKN3mui33MpYAW

d82cYrupUSjfE4QETHqur8h3r5hJSr9ZwIqmxqh8HgaeFbp1yDwzB47pNBosuzHy

XgdA8y/t5qD+yeJngpG3IPGVOqcHIAsRJqb/APGPh1BlShO7GCb4nBMIlfAZNZOM

wqaUZTJas3oCon6ZgmBRfaeFogs=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; s=default; bh=wOfHOY94Psu9/Q915LgcZy

mINbw=; b=VdKYItVmZit+Y8q2m7+mL4CcutdE/InDk/ytTB67MDdwbLxNf9c7Eu

8cPa5xxCcXXt3FBRSHXydfMHH/IjdMuIt2LaU1uPrufwshfeRyfI1Hh+8A3izABE

VFfR6H7NN6QSXDkwRXCC8MV2U/6XADR4JgyRuXRwHIcdObAI9bIuA=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=2.2 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=H*F:D*yandex.ru, H*x:Bat!, H*UA:Bat!, warned

X-HELO: forward2m.cmail.yandex.net

Authentication-Results: smtp1h.mail.yandex.net; dkim=pass header.i=@yandex.ru

X-Yandex-Suid-Status: 1 0,1 0

Date: Wed, 17 Aug 2016 21:34:05 +0300

From: Andrey Repin <anrdaemon AT yandex DOT ru>

Reply-To: cygwin AT cygwin DOT com

Message-ID: <441019555.20160817213405@yandex.ru>

To: lloyd DOT wood AT yahoo DOT co DOT uk, cygwin AT cygwin DOT com

Subject: Re: Cygwin's installation and security models?

In-Reply-To: <2144740387.26033819.1471429498939.JavaMail.yahoo@mail.yahoo.com>

References: <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com> <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com> <2144740387 DOT 26033819 DOT 1471429498939 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com>

MIME-Version: 1.0

X-IsSubscribed: yes

Greetings, lloyd DOT wood AT yahoo DOT co DOT uk!

> Specifically, when I launch Cygwin's setup.exe, I am warned:

> "Do you want to allow this app from an unknown publisher to
> make changes to your system?"

This is a generic warning suggesting to double-check your actions.

> That code could be anything. I think that means that
> if your website gets hacked, and the setup binaries
> get replaced, everyone is in trouble. Compare with the
> recent Classic Shell hack where not having a signed
> installer was, at least, a warning.

> http://www.bleepingcomputer.com/news/security/audacity-and-classic-shell-download-server-hacked-by-pegglecrew-/

> I'd expect the app to be signed

Signed by whom?

> and generate a UAC prompt saying it was signed by Redhat or similar.

I can fake such a signature in under 30 seconds.
All this "signing" tests is that the signature is correct and the content hash
is matching the signature. Period.
If anything, I see this warning as a good reason to go on a search to check
the credibility of your download yourself. And that is what really matters,
instead of blindly trusting the pretty images.

For additional info, you can start reading from
http://sourceware.org/ml/cygwin/2015-04/msg00049.html , and consider the
http://sourceware.org/ml/cygwin/2015-03/msg00119.html .

P.S.
Just in case I'm not confusing you with someone else: This mailing list is in
"no top posting, please, thank you" mode.


-- 
With best regards,
Andrey Repin
Wednesday, August 17, 2016 21:18:58

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=uytKN3mui33MpYAW
	d82cYrupUSjfE4QETHqur8h3r5hJSr9ZwIqmxqh8HgaeFbp1yDwzB47pNBosuzHy
	XgdA8y/t5qD+yeJngpG3IPGVOqcHIAsRJqb/APGPh1BlShO7GCb4nBMIlfAZNZOM
	wqaUZTJas3oCon6ZgmBRfaeFogs=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=wOfHOY94Psu9/Q915LgcZy
	mINbw=; b=VdKYItVmZit+Y8q2m7+mL4CcutdE/InDk/ytTB67MDdwbLxNf9c7Eu
	8cPa5xxCcXXt3FBRSHXydfMHH/IjdMuIt2LaU1uPrufwshfeRyfI1Hh+8A3izABE
	VFfR6H7NN6QSXDkwRXCC8MV2U/6XADR4JgyRuXRwHIcdObAI9bIuA=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=2.2 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=HF:Dyandex.ru, Hx:Bat!, HUA:Bat!, warned
X-HELO:	forward2m.cmail.yandex.net
Authentication-Results:	smtp1h.mail.yandex.net; dkim=pass header.i=@yandex.ru
X-Yandex-Suid-Status:	1 0,1 0
Date:	Wed, 17 Aug 2016 21:34:05 +0300
From:	Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To:	cygwin AT cygwin DOT com
Message-ID:	<441019555.20160817213405@yandex.ru>
To:	lloyd DOT wood AT yahoo DOT co DOT uk, cygwin AT cygwin DOT com
Subject:	Re: Cygwin's installation and security models?
In-Reply-To:	<2144740387.26033819.1471429498939.JavaMail.yahoo@mail.yahoo.com>
References:	<1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com> <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com> <2144740387 DOT 26033819 DOT 1471429498939 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com>
MIME-Version:	1.0
X-IsSubscribed:	yes