> > A security issue has been noted with lftp: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1180209 > > > > This is the patch for 4.6.1: > > > > http://pkgs.fedoraproject.org/cgit/lftp.git/plain/lftp-4.6.1-auto-confirm.patch > > Thanks, I wasn't aware of that. New release coming out shortly.
lftp will now no longer automatically store the host key fingerprints of unverified ssh servers. That's good, but it means that "cygport up" will now fail (probably mysteriously) for maintainers who are connecting by ssh/sftp to cygwin.com for the first time. New maintainers will need to connect by regular sftp to cygwin.com one time first, to store the host key fingerprint in known_hosts. After that "cygport up" will work. The cygport documentation should be updated to say this.