X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org From: "Dave Korn" To: References: <4897678C DOT 9010106 AT cappella DOT us> <4897ACC9 DOT 8030701 AT byu DOT net> Subject: RE: Setup version Date: Wed, 6 Aug 2008 15:45:39 +0100 Message-ID: <004801c8f7d3$185bf920$9601a8c0@CAM.ARTIMI.COM> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <4897ACC9.8030701@byu.net> Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Eric Blake wrote on 05 August 2008 02:29: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > According to Mike Cappella on 8/4/2008 2:33 PM: >> With the recent CVE security announcement regarding setup.exe: >> >> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3323 >> >> I'm wondering if perhaps it make sense to include the version number of >> setup.exe on the main Cygwin web page? It is currently seems to require >> downloading setup.exe and running it to determine the version number. > > On the other hand, the above vulnerability can only occur if you click > beyond the screen displaying the version number, so there isn't really any > harm in running setup.exe to determine whether it is new enough to avoid > that particular bug. Also, we're going to add a link to the setup.exe gpg .sig file on the main page; then the simple rule will be "If it has a gpg signature, it's the new version". cheers, DaveK -- Can't think of a witty .sigline today.... -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/