X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.0 required=5.0 	tests=AWL,BAYES_40
X-Spam-Check-By: sourceware.org
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=1 a=aCRlMrwmDrwA:10 a=VphdPIyG4kEA:10 a=8nJEP1OIZ-IA:10  a=zk19hA/YTAL+guUbg/dVXQ==:17 a=w_pzkKWiAAAA:8 a=yTjZ8ly3yTlD4xex37UA:9  a=ZeJTD8JhC5hYVstuCN8A:7 a=y8y1AxXhALBjRAWA7uj-SWQJla0A:4 a=wPNLvfGTeEIA:10  a=1PuaHO8Oc9MA:10
Message-ID: <4B9EEC2D.9020602@monai.ca>
Date: Mon, 15 Mar 2010 19:25:49 -0700
From: Steven Monai <steve+cygwin AT monai DOT ca>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: incomplete/corrupted setup.exe
References: <1268526388 DOT 20918 DOT ezmlm AT cygwin DOT com>  <Pine DOT LNX DOT 4 DOT 58 DOT 1003141111350 DOT 14642 AT mail3 DOT jubileegroup DOT co DOT uk>  <20100314163002 DOT GA12172 AT ednor DOT casa DOT cgf DOT cx>  <03988E63C1BD48809EA3A27E4D6A3661 AT phoenix>  <4B9D1B9C DOT 6000302 AT monai DOT ca> <20100314190223 DOT GD13515 AT ednor DOT casa DOT cgf DOT cx>
In-Reply-To: <20100314190223.GD13515@ednor.casa.cgf.cx>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 2010/03/14 12:02 PM, Christopher Faylor wrote:
> We are not going to be installing an https server in the hopes that it
> will defeat misguided setup.exe blocking for the same reason that we
> won't be adopting a new versioning scheme - neither is a guarantee.
> 
> I don't mind trying to figure out clever ways to defeat Windows
> limitations but I draw the line at spending nontrivial amounts of my
> time trying to deal with brain-dead limitations of users' networks.
> 
> The way to install Cygwin on your computer is to click on the "Install
> Cygwin Now!" link at http://cygwin.com/ .  If you can't get that to work
> then you need to work with your local IT to figure out why.

IT departments are becoming increasingly security conscious. That's
probably why the OP had trouble downloading setup.exe. It wasn't because
his IT was "brain-dead", but because there are legitimate security
concerns about downloading an unsigned exe over a non-SSL-authenticated
channel.

I suggest people inform themselves about the current state of art in
"man-in-the-middle" hijacking attacks, because the means by which
cygwin.com currently distributes setup.exe is vulnerable to a MITM
surreptitiously delivering a trojan setup.exe in place of the actual.
For this reason, I caution Cygwin users against downloading setup.exe
over unsafe networks (e.g. public wireless hotspots, hotel networks, etc.).

-SM
--

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple