| 1 |
On Thu, Feb 10, 2022 at 05:02:18PM +0500, Anna Vyalkova wrote: |
| 2 |
> On 2022-02-09 23:16, Robin H. Johnson wrote: |
| 3 |
> > Yes, Go is the biggest nail sticking out right now, but it's a growing |
| 4 |
> > problem overall. |
| 5 |
> > - Golang modules |
| 6 |
> > - Rust crates |
| 7 |
> > - NodeJS modules |
| 8 |
> > - Texlive packages |
| 9 |
> > |
| 10 |
> > |
| 11 |
> > Third party systems would be required to provide suitable security on |
| 12 |
> > their distfiles. Go & Rust do. I think NodeJS & Tex don't, but I'm happy |
| 13 |
> > to be proven wrong. |
| 14 |
Thanks! |
| 15 |
|
| 16 |
> package.lock files have "integrity" keys: |
| 17 |
> https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json#integrity |
| 18 |
Those don't provide authenticity, only integrity. |
| 19 |
|
| 20 |
> |
| 21 |
> Texlive repository files (texlive.tlpdb) have checksums of every package |
| 22 |
> in them |
| 23 |
http://tug.ctan.org/systems/texlive/tlnet/tlpkg/texlive.tlpdb |
| 24 |
http://tug.ctan.org/systems/texlive/tlnet/tlpkg/texlive.tlpdb.sha512 |
| 25 |
http://tug.ctan.org/systems/texlive/tlnet/tlpkg/texlive.tlpdb.sha512.asc |
| 26 |
|
| 27 |
And the GPG key used in that .asc, |
| 28 |
C78B82D8C79512F79CC0D7C80D5E5D9106BAB6BC, expired in 2016-03-19, even |
| 29 |
freshly fetched from keyservers, but they are still using it for making |
| 30 |
signatures. |
| 31 |
|
| 32 |
However, there's no individual signature on the package distfile, e.g. |
| 33 |
http://tug.ctan.org/systems/texlive/tlnet/archive/zztex.r55862.tar.xz |
| 34 |
You cannot verify it unless you have the have the TLPDB that includes |
| 35 |
that revision (so if a new revision comes out, verification is done). |
| 36 |
|
| 37 |
-- |
| 38 |
Robin Hugh Johnson |
| 39 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 40 |
E-Mail : robbat2@g.o |
| 41 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 42 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives