[tex-live] tlmgr: Package verification

Norbert Preining norbert at preining.info
Wed Jan 24 08:26:14 CET 2018


Hi,

> Oh, that's bad news. :-( So in the worst case, a compromised mirror
> could have delivered arbitrary packages, as long as they matched the
> original version in size?

Well, that was the case for the last 10 years, without even the size
check ;-) No we have at least a guaranteed size check ;-) And with the
fixes I just committed again also checksum checks.

> But despite all this, one question remains: From what I can tell, "-v"
> printed the actual checksum of the tar.xz file, but the database
> contained another checksum.

No, it printed the checksum of the backup made before doing the upgrade.
That is of course not registered anywhere because it depends on the
system.

Norbert

--
PREINING Norbert                               http://www.preining.info
Accelia Inc.     +    JAIST     +    TeX Live     +    Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13


More information about the tex-live mailing list