Chris Louden <chris.louden <at> gmail.com> writes: > The process seem fairly straight forward > setting up an apache instance and rsycing twice a day. However our > NetSec folks have asked is there is any way I can sync the local repo > via an authenticated or encrypted method. I guess to rule out a man in > the middle scenario.
You probably want to read https://cygwin.com/faq/faq.html#faq.setup.install-security I suppose. Cygwin installation can't be tampered with unless you override the signature check. It doesn't matter how or where you are syncing your local mirror from, setup.exe is going to check the gpg signature on the setup.ini file it reads and it won't install any package that has a different SHA512 checksum than what's noted (and been signed) in setup.ini. If you want to do a check after mirroring, you'd need to roll your own signature checking and setup.ini parsing. Regards, Achim. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple