X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.7 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40,WEIRD_PORT
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <4BA1BA09.7040104@gmail.com>
References: <1268766945 DOT 5263 DOT ezmlm AT cygwin DOT com> 	 <Pine DOT LNX DOT 4 DOT 58 DOT 1003171042591 DOT 9914 AT mail3 DOT jubileegroup DOT co DOT uk> 	 <20100317150649 DOT GA29284 AT ednor DOT casa DOT cgf DOT cx> <4BA17A9F DOT 2000808 AT monai DOT ca> 	 <4BA1BA09 DOT 7040104 AT gmail DOT com>
Date: Thu, 18 Mar 2010 01:16:26 -0400
Message-ID: <18d205ed1003172216p3d3ff258rde6c9b13cb7d4be1@mail.gmail.com>
Subject: Re: incomplete/corrupted setup.exe
From: Gregg Levine <gregg DOT drwho8 AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Thu, Mar 18, 2010 at 1:28 AM, Dave Korn <*****************> wrote:
> On 18/03/2010 00:58, Steven Monai wrote:
>
>> As an alternative to setting up SSL on cygwin.com, what about the idea
>> of crypto-signing (e.g. with gnupg) every release of setup.exe, and then
>> posting the signature alongside the binary? I know I would breathe a
>> little easier if I were able to positively verify the authenticity of a
>> given setup.exe binary.
>
> =A0That much is already done, and documented on the front page of cygwin.=
com:
> read the first sentence under "Installing and Updating Cygwin and its
> Packages" heading just beneath the mid-bar, or go straight to
> http://cygwin.com/setup.exe.sig
>
>> The public key would need to be distributed via channels other than just
>> cygwin.com, to make it more difficult to spoof. Fortunately, there are a
>> number of public PGP/GPG key servers to fill that purpose.
>
> =A0And we have already uploaded it to them; DSA key ID 676041BA:
>
> http://pgp.mit.edu:11371/pks/lookup?op=3Dvindex&search=3D0xA9A262FF676041=
BA
>
> =A0 =A0cheers,
> =A0 =A0 =A0DaveK
>
> --

Hello!
George, I am certainly not the individual behind the list, I am just
another user of this most excellent system as you are. That being
said, (Oh and thank you Dave for stating that.) would that be enough
for your school to stop blacklisting the setup program for Cygwin?

I firmly believe that something did happen in the past to frustrate
and confuse the people behind you in the school you are working from.
That's why they did that, and I agree it makes less sense to me as
well.

So given that excellent decision on someone's part, can we consider
this subject closed, before CGF gets really annoyed?
-----
Gregg C Levine gregg DOT drwho8 AT gmail DOT com
"This signature fought the Time Wars, time and again."

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple