Greetings, Lee! >> Greetings, Lee! >> >>>> Which is way worse in my opinion, than any theoretical MITM attack, >>>> which >>>> is easily mitigated with proper validation of your downloads. >> >>> Serious question - exactly how does one do "proper validation of your >>> downloads"? >> >> Use PGP signature to validate the installer. Use separate channel to obtain >> trust records for PGP key used in signing.
> Yes, in the ideal world. But at least in my experience, most windows > software doesn't come with a pgp signature & using a separate channel > to get the pgp key isn't so easy. In my experience, this is a Cygwin mailing list and we're discussing issues of obtaining and verifying the authenticity of setup.exe. P.S. In regard to Cygwin mailing list, please teach your mail agent to not quote raw email addresses. -- With best regards, Andrey Repin Wednesday, March 13, 2019 0:32:21 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
