1 |
On Thu, Feb 10, 2022 at 05:02:18PM +0500, Anna Vyalkova wrote: |
2 |
> On 2022-02-09 23:16, Robin H. Johnson wrote: |
3 |
> > Yes, Go is the biggest nail sticking out right now, but it's a growing |
4 |
> > problem overall. |
5 |
> > - Golang modules |
6 |
> > - Rust crates |
7 |
> > - NodeJS modules |
8 |
> > - Texlive packages |
9 |
> > |
10 |
> > |
11 |
> > Third party systems would be required to provide suitable security on |
12 |
> > their distfiles. Go & Rust do. I think NodeJS & Tex don't, but I'm happy |
13 |
> > to be proven wrong. |
14 |
Thanks! |
15 |
|
16 |
> package.lock files have "integrity" keys: |
17 |
> https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json#integrity |
18 |
Those don't provide authenticity, only integrity. |
19 |
|
20 |
> |
21 |
> Texlive repository files (texlive.tlpdb) have checksums of every package |
22 |
> in them |
23 |
http://tug.ctan.org/systems/texlive/tlnet/tlpkg/texlive.tlpdb |
24 |
http://tug.ctan.org/systems/texlive/tlnet/tlpkg/texlive.tlpdb.sha512 |
25 |
http://tug.ctan.org/systems/texlive/tlnet/tlpkg/texlive.tlpdb.sha512.asc |
26 |
|
27 |
And the GPG key used in that .asc, |
28 |
C78B82D8C79512F79CC0D7C80D5E5D9106BAB6BC, expired in 2016-03-19, even |
29 |
freshly fetched from keyservers, but they are still using it for making |
30 |
signatures. |
31 |
|
32 |
However, there's no individual signature on the package distfile, e.g. |
33 |
http://tug.ctan.org/systems/texlive/tlnet/archive/zztex.r55862.tar.xz |
34 |
You cannot verify it unless you have the have the TLPDB that includes |
35 |
that revision (so if a new revision comes out, verification is done). |
36 |
|
37 |
-- |
38 |
Robin Hugh Johnson |
39 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
40 |
E-Mail : robbat2@g.o |
41 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
42 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |