Fwd: New on CTAN: cyrillic-modern
Arthur Rosendahl
arthur.reutenauer at normalesup.org
Mon May 6 13:50:23 CEST 2024
On Mon, May 06, 2024 at 12:14:52PM +0100, Jonathan Fine wrote:
> Do we know that this is a genuine update, rather than a supply chain
> attack? Recall the recent xz utils attack CVE-2024-3094. Malicious fonts
> can change the meaning of a document.
It’s not an update.
All the Type 1, TFM, and OpenType files are hash-identical two by two
between the SourceForge repository and today’s CTAN upload. I didn’t
look at the other files because it really seemed unnecessary. The
package looks like a completely standard, albeit somewhat dated, font
package like CTAN has hundreds (thousands?) of.
> Malicious fonts
> can change the meaning of a document.
Surely users will check the typeset result to see if the contents
actually reflect the source, and can be trusted to judge for themselves?
It’s not the responsibility of the TeX Live maintainers to check that
sort of things.
Arthur
More information about the tex-live
mailing list.