[tex-live] tlmgr: Package verification

Norbert Preining norbert at preining.info
Wed Jan 24 08:26:14 CET 2018


> Oh, that's bad news. :-( So in the worst case, a compromised mirror
> could have delivered arbitrary packages, as long as they matched the
> original version in size?

Well, that was the case for the last 10 years, without even the size
check ;-) No we have at least a guaranteed size check ;-) And with the
fixes I just committed again also checksum checks.

> But despite all this, one question remains: From what I can tell, "-v"
> printed the actual checksum of the tar.xz file, but the database
> contained another checksum.

No, it printed the checksum of the backup made before doing the upgrade.
That is of course not registered anywhere because it depends on the


PREINING Norbert                               http://www.preining.info
Accelia Inc.     +    JAIST     +    TeX Live     +    Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the tex-live mailing list