This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Im having a problem downloading version 1.5.25-15 having something to do with setup.ini.sig


Buchbinder, Barry (NIH/NIAID) wrote on 15 August 2008 22:24:

> It would seem that when setup encounters the error that Garret
> encountered, it should ask whether to continue anyway (i.e., invoke -X)
> or abort.  If nothing else, it will avoid some of emails to the list
> that repeats Garret's report.

  I don't like that idea.  The single biggest flaw in PKI is the fact that
people just regard requesters as an annoyance, don't read them, and just
want to click right through.  If you're going to have an "ignore security"
button, security will be ignored every time; you might as well just not
bother checking the signature in the first place.  I very much want to make
it *difficult* for the user to disable their safety protection.  I seriously
considered not even offering a choice at all.

> It would also seem that a checkbox that invokes the -X functionality
> would offer flexibility to people who know in advance that there is no
> sig but do not remember the option don't need to use -X often enough to
> have a shortcut, etc.

  I guess what I really want to do is add some form of key management, so
that external package repository owners can start signing their setup.inis
and distribute keys to their users.  (This can currently be done via the
commandline, but it's not very friendly, sorry.  But if you use use -K or -S
to give it a key once, it gets cached, and can be reused every time by
adding -U; maybe that should be the default.  Or maybe I should add an
option to look up keys from the user's gpg keyring where present, and
piggyback off gpg's key management functions.  That might work quite well,
we'd get to use the keyservers, trust-signing and revocation
infrastructure).
 
> Related #1:  -X (and -K, -S, -u, and -U?) might be added to FAQ entry
> on setup command-line usage:
> http://cygwin.com/faq/faq-nochunks.html#faq.setup.cli.  A link to
> http://www.cygwin.com/ml/cygwin-announce/2008-08/msg00001.html might be
> appropriate.
> 
> Related #2:  It would be useful to update the setup command-line usage
> link on http://sourceware.org/cygwin-apps/setup.htm to perhaps point to
> the FAQ entry.

  Thanks for the reminder; I haven't had a chance to update the docs yet,
but I'll get on it.
 
> And thanks for all the work that's gone into setup.

  :)

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]