Non-human users of TeX Live

Zdenek Wagner zdenek.wagner at gmail.com
Mon May 6 15:49:21 CEST 2024 

po 6. 5. 2024 v 15:40 odesílatel Gerd Neugebauer <gene at gerd-neugebauer.de>
napsal:

>
>
> On 06/05/2024 15:11 CEST Norbert Preining <norbert at preining.info> wrote:
>
>
> On Mon, 06 May 2024, Jonathan Fine wrote:
>
> This suggests that providing a secure and trusted supply chain for fonts,
> macros and other resources would help the managers of non-human TeX users.
>
> I always ask the same thing, not only you, but also in meetings at work:
> What is an actionable item you propose?
> Jonathan, you are a master of "abstract" proposals without any
> actionable steps. So let me help you here:
>
> - step 1: all authors of CTAN packages are required to create GPG keys
> and register their public keys with a (to be created) key server at
> CTAN
> - step 2: all uploads to CTAN needs to be sign with a registered GPG key
> - step 3: uploaded packages that have no signature get a "slack time" of
> 1 year, after which they will be removed from CTAN
>
>
> I think we have a lot of orphanted packages on CTAN. Sometimes the author
> has simply lost interest or has even died. I am not sure whether it would
> be a good service to the TeX community to eliminate this historical
> knowledge.
> Currently we have a directory "obsolete" where everything is moved to
> which should otherwise be deleted. Thus step 3 should be reconsidered.
> Primarily we encourage people to publish packages and not to delete them.
>
> Step 2 is somehow my domain. I am working on a next major release of the
> CTAN site (too long already and too slow). Allowing only signed uploads
> might fit in there.
> Maybe I am ready when the other steps are;-)
>

I agree with not deleting the old contents. Just because it is old and no
longer developed does not mean that it is not used. Velthuis Devanagari is
no longer developed but it still has its users because there are quite a
lot of documents which have to be processed and cannot be converted easily
to newer SW tools.

Step 2 is not easy. Anybody can generate a GPG key with a false identity. I
can find a fingerprint of Norbert's key in many e-mails and I met Norbert
many years ago personally thus I am sure that he is a real person but in
many cases I know only names and I have no evidence that these are real
persons (most probably they are but you are never sure). So to be sure, the
identity of the uploaded GPG key should be verified by independent means.



> [...]
>
> PS: We need volunteers to implement steps 1-3, step 4 I can do. The rest
> is already done.
>
>
>

Zdeněk Wagner
https://www.zdenek-wagner.eu/





>
>
> *CiaoGerd *(webmaster at ctan.org)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20240506/5bbdde9e/attachment.htm>

More information about the tex-live mailing list.