TeX Live future access in danger

George N. White III gnwiii at gmail.com
Sat Apr 13 03:34:17 CEST 2019

On Fri, 12 Apr 2019 at 19:29, Jonathan Kew <jfkthame at gmail.com> wrote:

> On 12/04/2019 21:30, Nelson H. F. Beebe wrote:
> > The SANS security list today carries a pointer to this story:
> >
> >       Google Chrome engineers want to block some HTTP file downloads
> >
> https://www.zdnet.com/article/google-chrome-engineers-want-to-block-some-http-file-downloads/
> >
> > The story notes:
> >
> >>> ...
> >>> According to a proposal the browser maker has put forward yesterday,
> >>> only the download of certain "high-risk" file types will be blocked by
> >>> default.
> >>>
> >>> This includes EXE (Windows application binary), DMG (Mac application
> >>> binary), CRX (Chrome extension package), and all the major archive
> >>> formats, like ZIP, GZIP, BZIP, TAR, RAR, and 7Z.
> >>> ...
> >
> > I personally view this as totally wrong-headed, and also easily
> > subverted by the creation of encrypted data streams transferred under
> > innocuous names.  Nevertheless, if implemented, it could be a
> > significant problem for Web sites with downloadable content, include
> > TeX Live and CTAN mirrors.
> More precisely, the proposal (as I understand it) is to block downloads
> carried out via HTTP links from sites that themselves load via an HTTPS
> URL.
> Many sites that use HTTPS redirect HTTP links to HTTPS.   It would be
messy for browsers to check lHTTP inks for HTTPS redirects.

So provided the downloads are also served via HTTPS (as they should be,
> to minimize the risk of tampering), they're not affected by this.

Existing links in documents on the server will still have HTTP URL's, so
in practice, CTAN sites have to provide HTTP for the foreseeable

> Perhaps it's time to enable HTTPS on those TL/CTAN mirrors....

Different mirrors serve different client groups.  Some groups may rely on
legacy hardware that doesn't support current ciphers, so HTTPS may
not be practical for every mirror.

George N. White III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20190412/f02fc6c1/attachment.html>

More information about the tex-live mailing list