Yes - Cygwin is licensed as GPL V3 or later
- and the DLL is LGPL V3 or later WITH Linking Exception;
see:
https://cygwin.com/licensing.html
and the files CYGWIN_LICENSE, COPYING, COPYING.LIB, other instances of COPYING
and LICENSE files in /usr/share/doc/**/ directories, especially cygwin and
cygwin-doc, and copies in the headers of various source files.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut
-- Antoine de Saint-Exupéry
On 2025-05-04 04:37, James Hanley wrote:
Break the license rules? How - is it GPLv3?
-Jim
On May 3, 2025, at 3:09 PM, Brian Inglis via Cygwin <[email protected]> wrote:
On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
be signed with signtool
(https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?
No - would break the Cygwin licence terms unless MS releases source!
It seems that Microsoft Defender has become overly aggressive to some
Cygwin binaries (mostly /usr/bin/hostname, /usr/bin/find, /usr/bin/tar
etc.) in the last couple of weeks and just blocks them.
Aha - more MS Embrace, Extend, Extinguish!
Which Windows, Defender, and Cygwin releases did this start with?
$ which -a find hostname tar | cyg-sanitize-output.sed
/usr/bin/find
/proc/cygdrive/c/WINDOWS/system32/find
/usr/bin/hostname
/proc/cygdrive/c/WINDOWS/system32/hostname
/usr/bin/tar
/proc/cygdrive/c/WINDOWS/system32/tar
Perhaps Cygwin installer or cygcheck should start renaming MS Windows binaries
whose names conflict with Cygwin utilities! ;^>
What about other packages that install exes whose names conflict with MS
Windows utilities - does MS block them also, or just Cygwin's, or also other
open source; what about WSL installs?
[I noticed today that MS supports using only its own proprietary FIDO passkey
authenticator app - which nobody sensible would ever trust! I liked when we
used to be able to delete MS crypto keys from the MS Windows keystore.]
Our IT supports that they can "whitelist" binaries based on their
cryptographic signature... but neither the binaries from the CI nor
the Release binaries have any signatures...
Perhaps your paid IT support could just figure out how they could bypass
Defender checking the Cygwin roots or /*bin/ dirs?
I suspect many of us do that to reduce the overhead of the BLODA.
Or perhaps your paid IT support could just figure out how they could provide
their own Cygwin mirror with binaries signed with their own signatures and
tools.
Cygwin supports osslsigncode:
https://cygwin.com/packages/summary/osslsigncode-src.html
OpenSSL-based Authenticode signing and timestamping tool
Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB
and MSI files. It also supports timestamping (Authenticode and RFC3161).
That would require our volunteers to find and spend more of their free time to
integrate the tool into the package build processes, and it would not be
available until the volunteers find more of their free time once the next
release of each upstream package becomes available.
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
