Web lists-archives.com

Re: SSL not required for setup.exe download




Greetings, Lee!

>> Greetings, Lee!
>>
>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>> which
>>>> is easily mitigated with proper validation of your downloads.
>>
>>> Serious question - exactly how does one do "proper validation of your
>>> downloads"?
>>
>> Use PGP signature to validate the installer. Use separate channel to obtain
>> trust records for PGP key used in signing.

> Yes, in the ideal world.  But at least in my experience, most windows
> software doesn't come with a pgp signature & using a separate channel
> to get the pgp key isn't so easy.

In my experience, this is a Cygwin mailing list and we're discussing issues
of obtaining and verifying the authenticity of setup.exe.

P.S.
In regard to Cygwin mailing list, please teach your mail agent to not quote
raw email addresses.


-- 
With best regards,
Andrey Repin
Wednesday, March 13, 2019 0:32:21

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple