[tex-live] hosting inst image

Florent Rougon f.rougon at free.fr
Sat Mar 3 11:23:34 CET 2007


Reinhard Kotucha <reinhard.kotucha at web.de> wrote:

> If BT provides its own facilities to check for authenticity and
> completeness md5sum is probably not needed.

I disagree. Who controls BT? Not any member of tug.org, AFAIK.
Therefore, I trust tug.org to provide a valid checksum, but not BT.

To make it clear, would you feel safe downloading the ISO image from
some obscure dictatorship's government website, with no means to check
its authenticity? I wouldn't. It may be that BT people don't have bad
intentions. Frankly, I don't know; I've never checked, not even used
their protocol. But even then, they could have been cracked and not be
aware of it. Since the authoritative source for TL is tug.org, the best
way not to degrade security from this point on is to publish checksums
on tug.org.

[ Even better would be to have them signed by an OpenPGP key from Karl
  (e.g., with GnuPG), which would be "transitively signed" by your own
  key, a key being signed only when you have made your best to ensure
  the key belongs to the person whose name and email address(es) are
  listed on it, which normally means meeting the person in real life and
  checking her ID document. cf. the "web of trust". ]


More information about the tex-live mailing list