Greg Chicares Wrote: > Here's a native msw binary: > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe
Thanks for the response Greg. This still raises 2 concerns: 1) If this method is the official cygwin authenticity verification procedure, it should be well documented on the website, as the process is non-trivial. 2) The gnupg-w32cli-1.4.9.exe itself also isn't signed. So we still have the bootstrapping problem. Bottom line, the install procedure is still insecure and vulnerable to attack until a pervasive authentication mechanism is used (either signed windows executable or SSL download with a verifiable cert). With organized and highly sophisticated attackers becoming even more wide spread (often backed by organized crime or other well funded agencies), security is important, especially for a project as prestigious and important as Cygwin. Of course, I'll mention this to the gnupg.org people too, as they have the same problem. Thanks for the response. Best Regards, Doug -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
