Christopher Faylor wrote: >> Nobody seemed to care. Considering the fact that MD5 collisions are now >> trivial >> to generate, it probably doesn't matter much anyways - the fact that your >> copy >> of setup.exe has the right MD5 doesn't mean that it hasn't been tampered >> with. > > We don't control the content of mirrors. > > If you think this is an issue, contact the mirror(s) in question.
This is an issue with the Cygwin website, not the mirrors. There is a chain of trust from http://cygwin.com to the mirrors. Since the official Cygwin site list these mirrors at http://cygwin.com/mirrors.html, you're endorsing them as an officially approved locations to download Cygwin. This means that you have to monitor reports about misbehaving mirrors and remove ones that distribute corrupted or possibly malicious binaries under the Cygwin name. Alex -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
