Web lists-archives.com

Re: SSL not required for setup.exe download




On 3/12/19, Andrey Repin <anrdaemon@xxxxxxxxx> wrote:
> Greetings, Lee!
>
>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>> which
>>> is easily mitigated with proper validation of your downloads.
>
>> Serious question - exactly how does one do "proper validation of your
>> downloads"?
>
> Use PGP signature to validate the installer. Use separate channel to obtain
> trust records for PGP key used in signing.

Yes, in the ideal world.  But at least in my experience, most windows
software doesn't come with a pgp signature & using a separate channel
to get the pgp key isn't so easy.

Just out of curiosity.. has the cygwin public key been posted in
multiple places or sent to the mailing list?  Getting the exe, sig &
key from https://cygwin.com/install.html seems not the best security.

> And not blindly trust "supposedly-secure" connections.

I don't.  But I trust TLS connections a lot more than I trust
clear-text connections.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple