This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: setting up private mirror
- From: Achim Gratz <Stromeko at NexGo dot DE>
- To: cygwin at cygwin dot com
- Date: Thu, 3 Sep 2015 14:50:46 +0000 (UTC)
- Subject: Re: setting up private mirror
- Authentication-results: sourceware.org; auth=none
- References: <CAJGdTOAdWrXN7T06fPxDM=UXk59_02C4Nga9p12unv4-BqBepw at mail dot gmail dot com>
Chris Louden <chris.louden <at> gmail.com> writes:
> The process seem fairly straight forward
> setting up an apache instance and rsycing twice a day. However our
> NetSec folks have asked is there is any way I can sync the local repo
> via an authenticated or encrypted method. I guess to rule out a man in
> the middle scenario.
You probably want to read
https://cygwin.com/faq/faq.html#faq.setup.install-security
I suppose. Cygwin installation can't be tampered with unless you override
the signature check. It doesn't matter how or where you are syncing your
local mirror from, setup.exe is going to check the gpg signature on the
setup.ini file it reads and it won't install any package that has a
different SHA512 checksum than what's noted (and been signed) in setup.ini.
If you want to do a check after mirroring, you'd need to roll your own
signature checking and setup.ini parsing.
Regards,
Achim.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple