Non-human users of TeX Live
Ken Moffat
zarniwhoop at ntlworld.com
Mon May 6 16:23:50 CEST 2024
On Mon, May 06, 2024 at 03:49:21PM +0200, Zdenek Wagner wrote:
[...]
>
> Step 2 is not easy. Anybody can generate a GPG key with a false identity. I
> can find a fingerprint of Norbert's key in many e-mails and I met Norbert
> many years ago personally thus I am sure that he is a real person but in
> many cases I know only names and I have no evidence that these are real
> persons (most probably they are but you are never sure). So to be sure, the
> identity of the uploaded GPG key should be verified by independent means.
>
This is about the xz compromise, and in many cases I really don't
know how you could verify a key sufficiently (fine for people who
actually meet at conferences or wherever, and who have with them
sufficient proof of their identity, much harder for individuals who
do not travel and do not work face-to-face with people who have
validated keys).
Example: I had a key (possibly now expired) which I uploaded. At
that point nobody had agreed it was me, but people could check that
I used the same key on subsequent posts. If I was the bad actor I
assume I could easily have got sock-puppets to validate my key. So
it is not just the validation, it is getting validation from trusted
people.
For fonts, it is also limited in scope to those fonts which have
been uploaded to CTAN - in many cases using lualatex or xelatex it
is possible to use a TTF or OTF font sourced elsewhere.
ĸen
--
Real Programmers use butterflies.
(https://xkcd.com/378/)
More information about the tex-live
mailing list.