X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:to:message-id:in-reply-to
	:references:subject:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=MdNYCZ1zEpjcqZZ+
	qgNcqAPdDc+pdXev+TinmLGyeKzhsqDF/uWoh3ZXLE3XowbtGe8rIbIXSBz86un6
	p1rk7hMhrVMijcqWFbkqKW4iylSxoMouc4OSnp8FXx/cXLS0ilnqp+fjqTF2IQph
	AwvSAfUAYFa8g8zCY9OERqyyT4g=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:to:message-id:in-reply-to
	:references:subject:mime-version:content-type
	:content-transfer-encoding; s=default; bh=5GOEnqhuUq+GVHtsEXghVD
	DBRKM=; b=CNfkxfHGzZdFLK6LzjjO6m9Z3rY8x6ZeHERKn+7uNep5GqQet88LIu
	61rU8k2z4kMfPNuYSnB1JNJMehpQswbjKMj23y1J/0qnhr+4pokMCeJ23stN/fHK
	jKk9Ha9321y1S8XHzZ1eKVZP1O8pALfvbzs9aRhuN1nQ5ErmezwOY=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=2.4 required=5.0 tests=AWL,BAYES_80,FREEMAIL_FROM,KAM_COUK,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=H*R:D*uk, H*R:D*co.uk, warned, UD:yahoo.co.uk
X-HELO: nm34-vm8.bullet.mail.ir2.yahoo.com
Date: Wed, 17 Aug 2016 10:24:58 +0000 (UTC)
From:  <lloyd DOT wood AT yahoo DOT co DOT uk>
Reply-To:  <lloyd DOT wood AT yahoo DOT co DOT uk>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Message-ID: <2144740387.26033819.1471429498939.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <1740128398.25713364.1471398599819.JavaMail.yahoo@mail.yahoo.com>
References: <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com> <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com>
Subject: Re: Cygwin's installation and security models?
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Specifically, when I launch Cygwin's setup.exe, I am warned:

"Do you want to allow this app from an unknown publisher to
make changes to your system?"

That code could be anything. I think that means that
if your website gets hacked, and the setup binaries
get replaced, everyone is in trouble. Compare with the
recent Classic Shell hack where not having a signed
installer was, at least, a warning.

http://www.bleepingcomputer.com/news/security/audacity-and-classic-shell-download-server-hacked-by-pegglecrew-/

I'd expect the app to be signed and generate a UAC
prompt saying it was signed by Redhat or similar.
 Lloyd Wood lloyd DOT wood AT yahoo DOT co DOT uk http://savi.sf.net/


----- Original Message -----
From: "lloyd DOT wood AT yahoo DOT co DOT uk" <lloyd DOT wood AT yahoo DOT co DOT uk>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Sent: Wednesday, 17 August 2016, 11:49
Subject: Cygwin's installation and security models?


I'd like to understand Cygwin's installation and
security models better: 

- Cygwin's installers aren't signed.
- downloads are from a number of untrusted mirrors
  via http/ftp, and packages aren't verified. 


Is this correct?
thanks

Lloyd Wood lloyd DOT wood AT yahoo DOT co DOT uk http://savi.sf.net/ 

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple