Eric Blake wrote on 05 August 2008 02:29:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> According to Mike Cappella on 8/4/2008 2:33 PM:
>> With the recent CVE security announcement regarding setup.exe:
>>
>> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3323
>>
>> I'm wondering if perhaps it make sense to include the version number of
>> setup.exe on the main Cygwin web page? It is currently seems to require
>> downloading setup.exe and running it to determine the version number.
>
> On the other hand, the above vulnerability can only occur if you click
> beyond the screen displaying the version number, so there isn't really any
> harm in running setup.exe to determine whether it is new enough to avoid
> that particular bug.
Also, we're going to add a link to the setup.exe gpg .sig file on the main
page; then the simple rule will be "If it has a gpg signature, it's the new
version".
cheers,
DaveK
--
Can't think of a witty .sigline today....
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
