Specifically, when I launch Cygwin's setup.exe, I am warned: "Do you want to allow this app from an unknown publisher to make changes to your system?"
That code could be anything. I think that means that if your website gets hacked, and the setup binaries get replaced, everyone is in trouble. Compare with the recent Classic Shell hack where not having a signed installer was, at least, a warning. http://www.bleepingcomputer.com/news/security/audacity-and-classic-shell-download-server-hacked-by-pegglecrew-/ I'd expect the app to be signed and generate a UAC prompt saying it was signed by Redhat or similar. Lloyd Wood lloyd.w...@yahoo.co.uk http://savi.sf.net/ ----- Original Message ----- From: "lloyd.w...@yahoo.co.uk" <lloyd.w...@yahoo.co.uk> To: "cygwin@cygwin.com" <cygwin@cygwin.com> Sent: Wednesday, 17 August 2016, 11:49 Subject: Cygwin's installation and security models? I'd like to understand Cygwin's installation and security models better: - Cygwin's installers aren't signed. - downloads are from a number of untrusted mirrors via http/ftp, and packages aren't verified. Is this correct? thanks Lloyd Wood lloyd.w...@yahoo.co.uk http://savi.sf.net/ -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
