Currently Cygwin-ports has problems countering man-in-the-middle (MITM) attacks when it installs/updates software. The good news is that this is easy to fix.
Problem 1: The GPG key isn't acquired in some authenticated way. Currently, users get the key by viewing http://cygwinports.org/ and downloading the GPG key using http. That's vulnerable to MITM. The obvious solution, now used by Cygwin itself, is to switch cygwinports.org to use https. ideally it'd be https-only, using HSTS, like Cygwin itself. Problem 2: Currently MD5 is used as the hash function in the setup.ini files. The current Cygwin installer now supports SHA-512, and Cygwin intends to switch to SHA-512 soon in its setup.ini file. I recommend the same things happen in cygwin-ports. Thanks! --- David A. Wheeler ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Cygwin-ports-general mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cygwin-ports-general
