Non-human users of TeX Live
Norbert Preining
norbert at preining.info
Mon May 6 15:11:50 CEST 2024
On Mon, 06 May 2024, Jonathan Fine wrote:
> This suggests that providing a secure and trusted supply chain for fonts,
> macros and other resources would help the managers of non-human TeX users.
I always ask the same thing, not only you, but also in meetings at work:
What is an actionable item you propose?
Jonathan, you are a master of "abstract" proposals without any
actionable steps. So let me help you here:
- step 1: all authors of CTAN packages are required to create GPG keys
and register their public keys with a (to be created) key server at
CTAN
- step 2: all uploads to CTAN needs to be sign with a registered GPG key
- step 3: uploaded packages that have no signature get a "slack time" of
1 year, after which they will be removed from CTAN
- step 4: TeX Live imports will check the signatures against the CTAN
signature database when importing into TeX Live.
>From here on, we are already back to reality:
- TeX Live signs its releases and database files with a unique key
- tlmgr can verify the authenticity of the TeX Live database and thus
the downloaded packages (via sha256 checksums)
Does this sound like a good plan to you? It would solve the potential
supply chain attack your are afraid of.
Best regards
Norbert
PS: We need volunteers to implement steps 1-3, step 4 I can do. The rest
is already done.
--
PREINING Norbert https://www.preining.info
arXiv / Cornell University + IFMGA Guide + TU Wien + TeX Live
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
More information about the tex-live
mailing list.