Discussion:
tlmgr: Package verification
(too old to reply)
Philipp
2017-11-05 17:48:28 UTC
Permalink
Raw Message
Hi there,

I want to install TeX Live 2017 on Windows 10. As I'm rather paranoid
when software uses its own package manager or update mechanism, I'd
like to know if (and how) tlmgr ensures the integrity of
downloaded/updated packages. I found some presentation slides from
2016 that seem to address that very problem, but I'm not sure if all
the things mentioned there are performed out-of-the-box.
From what I found out so far, it seems as if a separate
GPG-installation is necessary for all the verification stuff to work?

What happens if I run tlmgr (or the Windows net installer) without
having GPG installed? Does it verify SHA512-hashes of downloaded
packages against those found in texlive.tlpdb, but without checking
the authenticity of the latter?
For GPG, does it suffice to download and install Gpg4Win before
installing Tex Live/running tlmgr?

What's the purpose of the repository at
http://www.preining.info/tlgpg/ that is mentioned in the presentation?
Do I still need tlgpg if I use tlmgr with Gpg4Win installed?

I hope someone can help me with these questions (or point me to some
documentation that answers them - perhaps I simply didn't find it).

Regards,
Philipp
Norbert Preining
2017-11-05 23:56:45 UTC
Permalink
Raw Message
Hi Philipp,
Post by Philipp
like to know if (and how) tlmgr ensures the integrity of
downloaded/updated packages. I found some presentation slides from
2016 that seem to address that very problem, but I'm not sure if all
Yes it does.
Post by Philipp
the things mentioned there are performed out-of-the-box.
If there is a gog installation available yes, otherwise no.
Post by Philipp
From what I found out so far, it seems as if a separate
GPG-installation is necessary for all the verification stuff to work?
Especially on Windows and Mac, yes. Linux installations normally have
gpg around.
Post by Philipp
What happens if I run tlmgr (or the Windows net installer) without
having GPG installed? Does it verify SHA512-hashes of downloaded
It works normally but gives a warning that gpg is not installed and
verification cannot performed.
Post by Philipp
For GPG, does it suffice to download and install Gpg4Win before
installing Tex Live/running tlmgr?
If after that gpg is in the PATH, yes. Or you can install tlgpg which is
Post by Philipp
What's the purpose of the repository at
http://www.preining.info/tlgpg/ that is mentioned in the presentation?
Do I still need tlgpg if I use tlmgr with Gpg4Win installed?
No. tlgpg *OR* Gpg4Win. The point is that there needs to be a gpg binary
available in the PATH.

Hope that helps

Norbert

--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Philipp
2017-11-06 06:43:00 UTC
Permalink
Raw Message
Hi Norbert,
Post by Norbert Preining
Hope that helps
Yes it does :-) Thanks a lot for your reply.

Philipp
Martin Schröder
2017-11-07 16:01:44 UTC
Permalink
Raw Message
Post by Norbert Preining
Hope that helps
Thanks. Since I was searching for the same information in the
manual recently and didn't find anything: Please include that
information there.

Best
Martin
Norbert Preining
2017-11-07 23:45:29 UTC
Permalink
Raw Message
Post by Martin Schröder
manual recently and didn't find anything: Please include that
information there.
I committed these changes:

index 5a052686f31..831ae58ecb6 100755
--- a/Master/texmf-dist/scripts/texlive/tlmgr.pl
+++ b/Master/texmf-dist/scripts/texlive/tlmgr.pl
@@ -8554,6 +8554,13 @@ report C<(verified)> after loading the TLPDB; otherwise, they report
C<(not verified)>. Either way, by default the installation and/or
updates proceed normally.

+If a program C<gpg> is available (that is, it is found in the C<PATH>),
+cryptographic signatures will be checked. In this case we require that
+the main repository is signed. This is not required for additional r
+repositories. If C<gpg> is not available, signatures are not checked
+and no verification is carried out, but C<tlmgr> proceeds normally.
+This is the behavior of C<tlmgr> up to TeX Live 2016.
+
The attempted verification can be suppressed by specifying
C<--no-verify-downloads> on the command line, or the entry
C<verify-downloads = 0> in a C<tlmgr> config file (described in
@@ -8561,6 +8568,9 @@ L<CONFIGURATION FILE FOR TLMGR>). On the other hand, it is possible to
I<require> verification by specifying C<--require-verification> on the
command line, or C<require-verification = 1> in a C<tlmgr> config file;
in this case, if verification is not possible, the program quits.
+Note that as mentioned above, if C<gpg> is available, the main repository
+is always required to have a signature. Using the C<--require-verification>
+switch, C<tlmgr> also requires signatures from additional repositories.

Cryptographic verification requires checksum checking (described just
above) to succeed, and a working GnuPG (C<gpg>) program (see below for


If you have any further suggestions for the section
CRYPTOGRAPHIC VERIFICATION
in the tlmgr man/help, please send them.

Thanks

Norbert

--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Philipp
2018-01-21 21:02:15 UTC
Permalink
Raw Message
As I just had to install Texlive on a new machine, I realized that I
don't understand the difference between "--require-verification" and
"--verifiy-downloads".

I installed from DVD, changed the repository afterwards to the CTAN
mirror and then ran "tlmgr update --self --require-verification" and
"tlmgr update --all --require-verification".
Is this sufficient to ensure that all downloaded packages are actually verified?
According to the manual, "verify-downloads" seems to be set to true by
default, so I guess one doesn't have to deal with that option unless
one wants to disable it?
What would happen if one combines "--require-verification" with
"--no-verify-downloads" or vice versa?

I also wanted to have a look at the config files for tlmgr to have a
look at the default values, but it seems that neither a system-wide
nor a user-specific file exists. Is this correct? (kpsewhich
-var-value=... lists paths for both, but the system-wide path only
contains a file named "ls-R" and the user-specific doesn't even
exist).

Regards,
Philipp
Norbert Preining
2018-01-22 00:11:29 UTC
Permalink
Raw Message
Hi,

verify-downloads sets the stage for general verification by searching
for a valid gpg binary. If this is not available, no verification can
happen.
verify-downloads can be set in the user or global configuration file
(TEXMFSYSCONFIG/tlmgr/config or TEXMFCONFIG/tlmgr/config) using the
key
verify-downloads = 0|1
If verify-downloads is set to 0 in the config file, or via
--no-verify-downloads then gpg is not searched and all gpg operations
will error.

require-verification defines the policy what to do if a repository is
either not signed, or it is signed but the public key has not been
imported into the TeX Live keyring:
- if require-verification is off (default), missing signatures or
unavailable public keys are *NOT* errors
- if require-verification is on, missing signatures or unavailable
public keys results in tlmgr terminating.
Note however that for the *main* repository (tlnet) this is turned
on by default, that means that whatever setting you have for
require-verification, the signature of the main repository will
be checked.

Explanation:
- we know that the main repository is always signed, because we do not
push out from our server to CTAN if the signature creation failed.
- we *don't* know whether all other repositories are signed, and in
particular whether the user has imported the respect keys for
verification.
- the defaults are set up that if gpg is available, the main repository
will be checked, and other repositories will be checked *if* they
provide a signature *and* the user has imported the remote public key.
- if an additional repository is not signed, or signed and the remote
public key is not imported, and require-verification is not set, then
tlmgr will *not* error out.
Post by Philipp
I installed from DVD, changed the repository afterwards to the CTAN
mirror and then ran "tlmgr update --self --require-verification" and
"tlmgr update --all --require-verification".
Is this sufficient to ensure that all downloaded packages are actually verified?
For packages downloaded from the main TeX Live repository, that is one
of the CTAN tlnet mirrors, this is enough if you have a gpg available.
Post by Philipp
According to the manual, "verify-downloads" seems to be set to true by
default, so I guess one doesn't have to deal with that option unless
one wants to disable it?
Correct.
Post by Philipp
What would happen if one combines "--require-verification" with
"--no-verify-downloads" or vice versa?
Consequence of the above:
- because --no-verify-downloads is set, no gpg is initialized.
- because we require verification, all repositories, including main
are checked with gpg, which results in a failure,
thus tlmgr will error out, as trivial experiment shows:

[~] tlmgr update --list
tlmgr: package repositories
main = /home/norbert/public_html/tlnet (verified)
tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (verified)
tltexjp = /home/norbert/public_html/tltexjp (verified)
tlcritical = /home/norbert/public_html/tlcritical (verified)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --no-verify-downloads update --list
tlmgr: package repositories
main = /home/norbert/public_html/tlnet (not verified: gpg unavailable)
tltexjp = /home/norbert/public_html/tltexjp (not verified: gpg unavailable)
tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (not verified: gpg unavailable)
tlcritical = /home/norbert/public_html/tlcritical (not verified: gpg unavailable)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --require-verification update --list
tlmgr: package repositories
main = /home/norbert/public_html/tlnet (verified)
tlcritical = /home/norbert/public_html/tlcritical (verified)
tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (verified)
tltexjp = /home/norbert/public_html/tltexjp (verified)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --no-verify-downloads --require-verification update --list
Remote TeX Live database (/home/norbert/public_html/tlnet) is not verified, exiting.


Now, let us remove the signature of an additional repository
(tlcontrib):
[~] tlmgr update --list
tlmgr: package repositories
main = /home/norbert/public_html/tlnet (verified)
tltexjp = /home/norbert/public_html/tltexjp (verified)
tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (not verified: unsigned)
tlcritical = /home/norbert/public_html/tlcritical (verified)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --no-verify-downloads update --list
remains the same as above

[~] tlmgr --require-verification update --list
Remote TeX Live database (/home/norbert/Domains/server/texlive.info/contrib/2017) is not verified, exiting.

[~] tlmgr --no-verify-downloads --require-verification update --list
Remote TeX Live database (/home/norbert/public_html/tlnet) is not verified, exiting.

More or less the same happens if the remote key is not installed, just
the message in the first case (not verified: unsigned) changes.
Post by Philipp
I also wanted to have a look at the config files for tlmgr to have a
look at the default values, but it seems that neither a system-wide
nor a user-specific file exists. Is this correct? (kpsewhich
No, this is not correct, see the documentation
https://www.tug.org/texlive/doc/tlmgr.html#CONFIGURATION-FILE-FOR-TLMGR

Hope that helps

Norbert

--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Philipp
2018-01-22 22:58:22 UTC
Permalink
Raw Message
Thank you for the detailed reply and explanation. Perhaps this could
also be made somewhat clearer in the tlmgr manual?
I still don't quite understand why --no-verify-downloads is needed: If
one has gpg installed, but doesn't want signatures to be checked,
wouldn't --no-require-verification suffice (apart from the main
repository, where you said this option has no effect)?


What I didn't realize up to now was that these settings have nothing
to do with the verification of the actual packages, i.e. the
computation and comparison of sha512 hashes, as introduced with
Texlive 2016.

Am I right that a) the Windows version ships with Perl's Digest::SHA
and that b) hashes of *all* downloaded/updated packages are computed
and compared with the values specified in the database file by
default? Both the terminal output and the logfile say nothing about
this, but as tlmgr seems to be rather silent as long as there are no
problems, I hope this is a good sign ;-)

I find the description in the manual a bit confusing, as it first
mentions package checksums, but then explains it further by refering
to texlive.tlpdb.sha512, which only seems to contain a hash for the
texlive.tlpdb file itself.
(The manual says "That is, for each texlive.tlpdb loaded from a
repository, the corresponding checksum file texlive.tlpdb.sha512 is
also downloaded, and tlmgr confirms whether the checksum of the
downloaded TLPDB file agrees with the download data." - which sounds
as if *only* the tlpdb file is verified).
Post by Norbert Preining
Post by Philipp
I also wanted to have a look at the config files for tlmgr to have a
look at the default values, but it seems that neither a system-wide
nor a user-specific file exists. Is this correct? (kpsewhich
No, this is not correct, see the documentation
https://www.tug.org/texlive/doc/tlmgr.html#CONFIGURATION-FILE-FOR-TLMGR
I did read this and tried both "kpsewhich -var-value TEXMFCONFIG" and
"kpsewhich -var-value TEXMFSYSCONFIG"

The former prints a path inside my user directory that does not exist,
the latter refers to "texmf-config" inside the Texlive install
directory, but there's only a file named "ls-R" inside, and no "tlmgr"
subfolder.
I guess I could place a config file at either location, but I wonder
if any default config file should already be there.
Post by Norbert Preining
Hope that helps
Yes, it did. Thanks again, and sorry for another ton of questions in
this mail...

Oh, and one more thing: "tlmgr --version" reports revision 46034 after
the latest update, but this version isn't yet listed in the tlmgr
news: https://www.tug.org/texlive/tlmgr-news.html



Philipp
Norbert Preining
2018-01-23 00:06:36 UTC
Permalink
Raw Message
Hi Philipp,
Post by Philipp
also be made somewhat clearer in the tlmgr manual?
Yes indeed, it could be made clearer :-)
Post by Philipp
I still don't quite understand why --no-verify-downloads is needed: If
one has gpg installed, but doesn't want signatures to be checked,
wouldn't --no-require-verification suffice (apart from the main
repository, where you said this option has no effect)?
Without --no-verify-downloads you will always get the main repository
checked, which cannot be turned off with --no-require-verification.
But with --no-verify-downloads even the main repo is not checked.
Post by Philipp
What I didn't realize up to now was that these settings have nothing
to do with the verification of the actual packages, i.e. the
computation and comparison of sha512 hashes, as introduced with
Texlive 2016.
I tend to not call this "verification" but integrity check. Without
verification of the signature of the main tlpdb, the package can still
contain anything (an attacker can change the content of a package as
well as the sha/md sums in the tlpdb). The checksum is here to guarantee
integrity of the downloaded package.

It is true that without verification this is not that useful, because
the un-xz is a very good integrity checker, too.
Post by Philipp
Am I right that a) the Windows version ships with Perl's Digest::SHA
and that b) hashes of *all* downloaded/updated packages are computed
and compared with the values specified in the database file by
Yes.
Post by Philipp
default? Both the terminal output and the logfile say nothing about
this, but as tlmgr seems to be rather silent as long as there are no
problems, I hope this is a good sign ;-)
Yes, the checksums are always done. Run tlmgr with -v and you will see
some more output:
...
D:12many upd package
D: done 12many.r1587.tar.xz, size 382132, 5e1a3e83b1f186dd4108843a0c248126566a20b9070b06f12a76b5e308615aeb5a419bdcbab2ccee66daeed1032e724ec016e5a005ac330e314228b6d5199b8e
...

If you run with -v -v then you will get even more (but expect faaaar too
much output to actually find it ;-)
...
D:12many upd package
DD:running system(tar -cf /home/norbert/tl/2017/tlpkg/backups/12many.r1587.tar texmf-dist/doc/latex/12many/12many.pdf texmf-dist/doc/latex/12many/README texmf-dist/source/latex/12many/12many.dtx texmf-dist/source/latex/12many/12many.ins texmf-dist/tex/latex/12many/12many.sty tlpkg/tlpobj/12many.tlpobj)
DD:tlchecksum: out = 8322d74706c0fa431319a937b1712d49a0244b9bc70b44bbe471a75603f99f89728f8270dc5369318a1fe8185d3667af097675e1b79f4d9931616d6a8e26255b
DD:tlchecksum: cs ===8322d74706c0fa431319a937b1712d49a0244b9bc70b44bbe471a75603f99f89728f8270dc5369318a1fe8185d3667af097675e1b79f4d9931616d6a8e26255b===
DD:xchdir(/home/norbert) ok
D: done 12many.r1587.tar.xz, size 382132, 8322d74706c0fa431319a937b1712d49a0244b9bc70b44bbe471a75603f99f89728f8270dc5369318a1fe8185d3667af097675e1b79f4d9931616d6a8e26255b
Post by Philipp
(The manual says "That is, for each texlive.tlpdb loaded from a
repository, the corresponding checksum file texlive.tlpdb.sha512 is
also downloaded, and tlmgr confirms whether the checksum of the
downloaded TLPDB file agrees with the download data." - which sounds
as if *only* the tlpdb file is verified).
*verified* means that a cryptographic signature is checked. After that
each package in turn is checked for integrity, and as a consequence also
verified (unless the checksum mechanism is broken and can be
circumvented, which is with sha256 not possible at the moment).
Post by Philipp
I did read this and tried both "kpsewhich -var-value TEXMFCONFIG" and
"kpsewhich -var-value TEXMFSYSCONFIG"
The former prints a path inside my user directory that does not exist,
the latter refers to "texmf-config" inside the Texlive install
directory, but there's only a file named "ls-R" inside, and no "tlmgr"
subfolder.
I guess I could place a config file at either location, but I wonder
if any default config file should already be there.
No default config file is provided, none is necessary.
Post by Philipp
Oh, and one more thing: "tlmgr --version" reports revision 46034 after
the latest update, but this version isn't yet listed in the tlmgr
news: https://www.tug.org/texlive/tlmgr-news.html
Because you install from tlcritical maybe? The tlmgr-news is for the
released version of tlmgr, not the one in testing/tlcritical.

All the best

Norbert

--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Philipp
2018-01-23 18:27:32 UTC
Permalink
Raw Message
Hi Norbert,

thanks again for shedding some light on the details of tlmgr.
Post by Norbert Preining
Yes indeed, it could be made clearer :-)
I'd like to help here, but I haven't had an idea so far how it could
be made clearer.
Post by Norbert Preining
Without --no-verify-downloads you will always get the main repository
checked, which cannot be turned off with --no-require-verification.
But with --no-verify-downloads even the main repo is not checked.
Is this the only case where it makes a difference? I can't even guess
how many users might need it, but it would greatly simplify the manual
if "--(no)-verify-downloads" could be completely removed ;-)
Post by Norbert Preining
Yes, the checksums are always done. Run tlmgr with -v and you will see
Thanks for the hint, the additional output is indeed interesting.
Out of curiosity, I randomly picked one of the hashes printed by "-v"
and searched the tlpdb files for it (both texlive.tlpdb and all of the
texlive.tlpdb.somehash files). To my surprise, the hash wasn't found
anywhere.
I then had a look at the "backups" folder and calculated the
sha512-hashes of all the .tar.xz files there. I found that the hash I
had copied is the hash of "collection-latexextra.r46401.tar.xz". The
file is 5628 bytes in size, and its hash is
18DF732AAF72569D72FCD1DBEEB905FFBEB089D9FFC5FB01D7FC70431ADA735B28C01D35C61220064F90360963952803D93B16C8533FA1B74AC335B7859B1861
Post by Norbert Preining
name collection-latexextra
category Collection
revision 46401
[...] lots of stuff ommitted
containersize 5504
containerchecksum 1ff42dd776de6e3325e1bca5b9975353b56531a5da2f961612c0e41e41b419a0b1a77a14191b935f591d7df14049fd8f4cea11ddec46851b43fa03ee9748cf92
I'd like to understand what is happening here. Obviously, the hash in
the database does not match the hash of the corresponding .tar.xz
file, but tlmgr did not complain. It also does not match the hash of
the .tar file that's inside, nor of the included .tlpobj file.

As the .tar.xz file is also 124 bytes larger than specified in the
database, I guess some bytes are stripped before the hash is
calculated? But if so, why? And why does -v print the "wrong" hash?
I also noted that in your example, -v prints a different hash than -v
-v, although the package/file seems to be the same?!
Post by Norbert Preining
Post by Philipp
(The manual says "That is, for each texlive.tlpdb loaded from a
repository, the corresponding checksum file texlive.tlpdb.sha512 is
also downloaded, and tlmgr confirms whether the checksum of the
downloaded TLPDB file agrees with the download data." - which sounds
as if *only* the tlpdb file is verified).
*verified* means that a cryptographic signature is checked. After that
each package in turn is checked for integrity, and as a consequence also
verified (unless the checksum mechanism is broken and can be
circumvented, which is with sha256 not possible at the moment).
Sorry, my mistake - I used "verified" here, but meant integrity check,
i.e. comparison of sha512 hashes. The manual doesn't confuse these two
Post by Norbert Preining
By default, package checksums computed and stored on the server (in the TLPDB) are
compared to checksums computed locally after downloading.
That is, for each texlive.tlpdb loaded from a repository, the corresponding checksum file
texlive.tlpdb.sha512 is also downloaded, and tlmgr confirms whether the checksum of the
downloaded TLPDB file agrees with the download data.
This sounds to me as if hash computation and comparison is only done
for the tlpdb file(s), not for each downloaded package, so in my
opinion, it is rather misleading, given the first sentence.


Best regards,
Philipp
Norbert Preining
2018-01-24 04:00:32 UTC
Permalink
Raw Message
Hi Philipp,

(btw, removing Martin, he is anyway on the list I guess)
Post by Philipp
I'd like to help here, but I haven't had an idea so far how it could
be made clearer.
If I have some spare time, I will try to write up more details, but I am
not sure whether the tlmgr man page is the correct place.
Post by Philipp
Post by Norbert Preining
Without --no-verify-downloads you will always get the main repository
checked, which cannot be turned off with --no-require-verification.
But with --no-verify-downloads even the main repo is not checked.
Is this the only case where it makes a difference? I can't even guess
Wellm these are conceptionally two different things: The one controls
whether checks should be made, the other controls whether missing
signatures should be treated as errors or not.

Thus there are more differences: With --no-verify-downloads, nothing is
done, and no gpg available or so is reported. While without it, the
signature status (no signature, missing public key, ...) is reported.
Post by Philipp
texlive.tlpdb.somehash files). To my surprise, the hash wasn't found
anywhere.
Indeed, there are a lot of components playing into, one being that the
logging of checksum was not done in all places :-((( Sorry for that.
The other thing was that the actual packages were only checked against
the sizes and not the checksum, due to some refactoring at some point
(renaming the checksum data from containermd5 to containerchecksum).

This has been fixed now in the subversion repository and will be pushed
out rather soon. Now with -v tlmgr would spit out something like this:

D:tlpdb:_install_data: what=/home/norbert/public_html/tlnet/archive/collection-latexextra.tar.xz, target=/home/norbert/tl/2017/texmf-dist, size=5504, checksum=6e72d01334e032e927d1ccc06e50766d6d151e20e6d6997a3c4e2950b73bc082bce773a946930b9db9ec20f323a88a2d242f0cb012998a258fc4244de546fb33, tmpdir=/tmp/UQNV4diBME/lzqy7LKVuv
D:check_file /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz, 6e72d01334e032e927d1ccc06e50766d6d151e20e6d6997a3c4e2950b73bc082bce773a946930b9db9ec20f323a88a2d242f0cb012998a258fc4244de546fb33, 5504
D:tlchecksum(/tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz): ===6e72d01334e032e927d1ccc06e50766d6d151e20e6d6997a3c4e2950b73bc082bce773a946930b9db9ec20f323a88a2d242f0cb012998a258fc4244de546fb33===
D:TLUtils::check_file: checksums for /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz agree
D:un-xzing /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz to /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar

Big thanks for your insistance which pointed me at insufficiencies *and*
bugs in the code!!!!

Thanks

Norbert

--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Philipp
2018-01-24 07:01:48 UTC
Permalink
Raw Message
Hi Norbert,
Post by Norbert Preining
Indeed, there are a lot of components playing into, one being that the
logging of checksum was not done in all places :-((( Sorry for that.
The other thing was that the actual packages were only checked against
the sizes and not the checksum, due to some refactoring at some point
(renaming the checksum data from containermd5 to containerchecksum).
Oh, that's bad news. :-( So in the worst case, a compromised mirror
could have delivered arbitrary packages, as long as they matched the
original version in size?

But despite all this, one question remains: From what I can tell, "-v"
printed the actual checksum of the tar.xz file, but the database
contained another checksum.
This would mean that the file that was downloaded is not what it
should be according to the database. The size also did not match, so
even if tlmgr ignored the checksum mismatch, this should not have
worked. Doesn't the database entry refer to the .tar.xz file(s)?
Post by Norbert Preining
Big thanks for your insistance which pointed me at insufficiencies *and*
bugs in the code!!!!
I'm glad if I could help.

Best regards,
Philipp
Norbert Preining
2018-01-24 07:26:14 UTC
Permalink
Raw Message
Hi,
Post by Philipp
Oh, that's bad news. :-( So in the worst case, a compromised mirror
could have delivered arbitrary packages, as long as they matched the
original version in size?
Well, that was the case for the last 10 years, without even the size
check ;-) No we have at least a guaranteed size check ;-) And with the
fixes I just committed again also checksum checks.
Post by Philipp
But despite all this, one question remains: From what I can tell, "-v"
printed the actual checksum of the tar.xz file, but the database
contained another checksum.
No, it printed the checksum of the backup made before doing the upgrade.
That is of course not registered anywhere because it depends on the
system.

Norbert

--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Karl Berry
2018-01-23 00:17:01 UTC
Permalink
Raw Message
Post by Philipp
Oh, and one more thing: "tlmgr --version" reports revision 46034 after
the latest update, but this version isn't yet listed in the tlmgr
news: https://www.tug.org/texlive/tlmgr-news.html
Oops, I forgot to update tlmgr-news after the last release.
It's there now. Thanks. -k
Loading...