Steps to check the texlive iso image

George N. White III gnwiii at gmail.com
Sat Apr 3 14:33:38 CEST 2021 

On Fri, 2 Apr 2021 at 20:56, Norbert Preining <norbert at preining.info> wrote:

> Hi Luigi,
>
> > I follows these steps to check the texlive iso image from linux:
> [...]
> > Can be  added in some form to the
> > https://tug.org/texlive/acquire-iso.html
>
> The same would have to be added to the installer download which is also
> signed, and probably some other pages - while not providing anything
> that shouldn't be common knowledge.
>

I agree that this should be common knowledge, but the fact is that many
TeX users are barely aware of the need to verify downloads because
99% of the time they use distro packages and App Stores that hide the
details.   Many just want either a "magic recipe" they can follow without
understanding or a way to disable or ignore the checks.

Debian's
https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html
is a decent model that could (not by chance!) be adapted to TeX Live.

Enterprises are now doing supply chain reviews and asking hard
questions about open source repositories.   Use of 3rd party packages
may be restricted (e.g., no binaries --  always build from sources). For
TeX Live this forces users to rely on linux distro packages.   The
future may include requirements for 3rd party audits of practices and
policies of open source archive sites.

Not sure how and in which form we want to add this, but I will think
> about it, and discuss with Karl later on.
>

The document needs to a) educate users who haven't had to deal with
the details of signed packages, and b) provide a document that can be
referenced during security reviews.  Since users should be thinking about
their own supply chain security, it makes sense for one document that
covers (a) and (b) together.   Some users will ignore most of the contents,
but it is there for those who don't.

-- 
George N. White III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20210403/44089ec6/attachment.html>

More information about the tex-live mailing list.