[PATCH setup draft 4/4] If signature validation is turned off, check 'release:' tag

If we aren't doing signature validation, look instead for "release: cygwin" in the setup.ini files. If this fails for an official mirror, reject the mirror. If it fails for a purported private mirror, silently change the status of the site to "user site" and put a note in the log file. This

[PATCH setup draft 0/4] Improve setup.ini validation

This patch series presupposes the one posted starting at [1]. Currently, signatures are verified using the cygwin signing key and other keys supplied by the user. Validation with any key is accepted. This patch series makes the following changes: - For official cygwin mirrors (those listed in

[PATCH setup draft 3/4] Try cygwin signing key for private mirrors

If validation with the cygwin signing key fails for a purported private mirror, retry with other supplied keys. If this succeeds, silently change the status of the site to "user site" and put a note in the log file. This change will take effect on the next setup run or if the user selects

[PATCH setup draft 2/4] Insist on cygwin signing key for official mirrors

If a mirror comes from mirrors.lst, validate the signature using the cygwin signing key only. --- ini.cc | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ini.cc b/ini.cc index 18ab2e3..4be8263 100644 --- a/ini.cc +++ b/ini.cc @@ -292,8 +292,12 @@ do_remote_ini (HWND owner)

Re: [PATCH setup v4 0/6] Distinguish between user URLs and cygwin mirrors in UI

On 12/10/2017 12:49 PM, Ken Brown wrote: TODO: Implement a way of validating purported mirrors. For example, we could make sure they are signed with the cygwin signing key. Or if the user has used the -X option to turn off signature checking, we could make sure that setup.ini contains

Re: [RFC] calm, setup: per-version requires

On 05/12/2017 18:14, Achim Gratz wrote: Jon Turney writes: 2.880 onwards: The curr: version will get the union of 'depends:' and 'requires:', other versions will get 'requires:'. Actually it's worse than that, it just concatenates requires: and any depends: lines, applying the current

setup 2.883 release candidate - please test

A new setup release candidate is available at: https://cygwin.com/setup/setup-2.883.x86.exe(32 bit version) https://cygwin.com/setup/setup-2.883.x86_64.exe (64 bit version) Please test and report problems to cyg...@cygwin.com. If no regressions are discovered in the next week or so,

Re: [PATCH setup v4 6/6] Display area and location of official mirrors

On 2017-12-11 01:37, Corinna Vinschen wrote: > On Dec 10 22:06, Brian Inglis wrote: >> On 2017-12-10 11:50, Ken Brown wrote: >>> On 12/10/2017 1:40 PM, Brian Inglis wrote: On 2017-12-10 10:49, Ken Brown wrote: > Mirrors from mirrors.lst have area and location info, which we now >