I performed a cygwin update today, and was confronted with an MD5
failure on one of the packages.
The package was vim-7.1-1.tar.bz2 downloaded from mirrors.dotsrc.org
As the package installed, I saw some strange behavior, I'm worried it
might have been some kind of trojan.
I saved the hacked package file in case a cygwin developer wants to see
it. I was able to get the vim-7.1-1.tar.bz2 from another server with
the correct MD5.
The correct md5:
df543517110fa14fcc13a207ef721459 *vim-7.1-1.tar.bz2
The md5 of the hacked package:
43f00ebc2964d7c84fde7b7150f1b3a5 *vim-7.1-1.tar.bz2-HACKED
I also have a complaint: the dialog that notifies the user of the
failed MD5 is not well designed. The dialog asks "Do you want to skip
the package?" and has a yes and no button. I read it quickly and
pressed no before thinking about it, the package went ahead and tried to
install. I think there should be a little more effort to restrain the
user from performing a dangerous action such as installing a package
with a wrong MD5.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
