[tex-live] tlmgr: Package verification

Philipp philipp.kupferschmied at gmail.com
Wed Jan 24 08:01:48 CET 2018

Hi Norbert,

> Indeed, there are a lot of components playing into, one being that the
> logging of checksum was not done in all places :-((( Sorry for that.
> The other thing was that the actual packages were only checked against
> the sizes and not the checksum, due to some refactoring at some point
> (renaming the checksum data from containermd5 to containerchecksum).

Oh, that's bad news. :-( So in the worst case, a compromised mirror
could have delivered arbitrary packages, as long as they matched the
original version in size?

But despite all this, one question remains: From what I can tell, "-v"
printed the actual checksum of the tar.xz file, but the database
contained another checksum.
This would mean that the file that was downloaded is not what it
should be according to the database. The size also did not match, so
even if tlmgr ignored the checksum mismatch, this should not have
worked. Doesn't the database entry refer to the .tar.xz file(s)?

> Big thanks for your insistance which pointed me at insufficiencies *and*
> bugs in the code!!!!

I'm glad if I could help.

Best regards,

More information about the tex-live mailing list