TeX Live future access in danger
Jonathan Kew
jfkthame at gmail.com
Sat Apr 13 00:25:39 CEST 2019
On 12/04/2019 21:30, Nelson H. F. Beebe wrote:
> The SANS security list today carries a pointer to this story:
>
> Google Chrome engineers want to block some HTTP file downloads
> https://www.zdnet.com/article/google-chrome-engineers-want-to-block-some-http-file-downloads/
>
> The story notes:
>
>>> ...
>>> According to a proposal the browser maker has put forward yesterday,
>>> only the download of certain "high-risk" file types will be blocked by
>>> default.
>>>
>>> This includes EXE (Windows application binary), DMG (Mac application
>>> binary), CRX (Chrome extension package), and all the major archive
>>> formats, like ZIP, GZIP, BZIP, TAR, RAR, and 7Z.
>>> ...
>
> I personally view this as totally wrong-headed, and also easily
> subverted by the creation of encrypted data streams transferred under
> innocuous names. Nevertheless, if implemented, it could be a
> significant problem for Web sites with downloadable content, include
> TeX Live and CTAN mirrors.
More precisely, the proposal (as I understand it) is to block downloads
carried out via HTTP links from sites that themselves load via an HTTPS URL.
So provided the downloads are also served via HTTPS (as they should be,
to minimize the risk of tampering), they're not affected by this.
Perhaps it's time to enable HTTPS on those TL/CTAN mirrors....
JK
More information about the tex-live
mailing list