[tex-live] tlmgr: Package verification
Norbert Preining
norbert at preining.info
Wed Jan 24 08:26:14 CET 2018
Hi,
> Oh, that's bad news. :-( So in the worst case, a compromised mirror
> could have delivered arbitrary packages, as long as they matched the
> original version in size?
Well, that was the case for the last 10 years, without even the size
check ;-) No we have at least a guaranteed size check ;-) And with the
fixes I just committed again also checksum checks.
> But despite all this, one question remains: From what I can tell, "-v"
> printed the actual checksum of the tar.xz file, but the database
> contained another checksum.
No, it printed the checksum of the backup made before doing the upgrade.
That is of course not registered anywhere because it depends on the
system.
Norbert
--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
More information about the tex-live
mailing list