[texhax] TeXLive installation: Integrity Checks, Cryptographic Signatures?
Lars Madsen
daleif at math.au.dk
Thu Aug 20 09:44:04 CEST 2015
and you are asking this on texhax and not the texlive mailing list because?
/Lars Madsen
Institut for Matematik / Department of Mathematics
Aarhus Universitet / Aarhus University
Mere info: http://au.dk/daleif@math / More information: http://au.dk/en/daleif@math
________________________________________
From: texhax [texhax-bounces at tug.org] on behalf of Moritz Schulte [Moritz.Schulte at ruhr-uni-bochum.de]
Sent: 19 August 2015 16:01
To: support at tug.org
Subject: [texhax] TeXLive installation: Integrity Checks, Cryptographic Signatures?
Dear TUG,
since I am having trouble with the TeXLive version packaged for my OS
Distribution, I
would like to install a recent 'vanilla' TeXLive version from
https://www.tug.org/texlive/.
I was surprised to realize that
https://www.tug.org/texlive/acquire-netinstall.html does not
promote any (easily accessible) way for doing integrity checks for the
installer. After some
digging I figured out that one can download the sha256 checksums from
https://www.ctan.org/tex-archive/systems/texlive/tlnet. Is there any
particular reason for
not making these checksums easily findable? If not, I would like to make
the suggestion of
adding these checksums to the primary download page for the TeXLive
installers.
(Of course, checksums published on a webpage could potentially also be
forged, but without
some kind of trust link this problem is difficult to solve. Hence,
spreading the checksums
is at least something...)
My second question is about the tlmgr program. When I install packages
using tlmgr, does it
do integrity checks, e.g. by comparing checksums or by verifying
cryptographic signatures?
Maybe I have overlooked something, but so far I couldn't find anything
in the manual of
tlmgr.
I have a bad feeling when executing code on my system without any way of
making sure that
the code is in fact the code it is supposed to be. It would be helpful
if the manual would
mention this.
Thank you very much,
Moritz Schulte
_______________________________________________
TeX FAQ: http://www.tex.ac.uk/faq
Mailing list archives: http://tug.org/pipermail/texhax/
More links: http://tug.org/begin.html
Automated subscription management: http://tug.org/mailman/listinfo/texhax
Human mailing list managers: postmaster at tug.org
More information about the texhax
mailing list