<div dir="ltr">po 6. 5. 2024 v 15:40 odesílatel Gerd Neugebauer <<a href="mailto:gene@gerd-neugebauer.de">gene@gerd-neugebauer.de</a>> napsal:<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<div>
</div>
<blockquote type="cite">
<div>
On 06/05/2024 15:11 CEST Norbert Preining <<a href="mailto:norbert@preining.info" target="_blank">norbert@preining.info</a>> wrote:
</div>
<div>
</div>
<div>
</div>
<div>
On Mon, 06 May 2024, Jonathan Fine wrote:
</div>
<blockquote type="cite">
<div>
This suggests that providing a secure and trusted supply chain for fonts,
</div>
<div>
macros and other resources would help the managers of non-human TeX users.
</div>
</blockquote>
<div>
I always ask the same thing, not only you, but also in meetings at work:
</div>
<div>
What is an actionable item you propose?
</div>
<div>
Jonathan, you are a master of "abstract" proposals without any
</div>
<div>
actionable steps. So let me help you here:
</div>
<div>
</div>
<div>
- step 1: all authors of CTAN packages are required to create GPG keys
</div>
<div>
and register their public keys with a (to be created) key server at
</div>
<div>
CTAN
</div>
<div>
- step 2: all uploads to CTAN needs to be sign with a registered GPG key
</div>
<div>
- step 3: uploaded packages that have no signature get a "slack time" of
</div>
<div>
1 year, after which they will be removed from CTAN
</div>
</blockquote>
<div>
</div>
<div>
I think we have a lot of orphanted packages on CTAN. Sometimes the author has simply lost interest or has even died. I am not sure whether it would be a good service to the TeX community to eliminate this historical knowledge.
</div>
<div>
Currently we have a directory "obsolete" where everything is moved to which should otherwise be deleted. Thus step 3 should be reconsidered. Primarily we encourage people to publish packages and not to delete them.
</div>
<div>
</div>
<div>
Step 2 is somehow my domain. I am working on a next major release of the CTAN site (too long already and too slow). Allowing only signed uploads might fit in there.
</div>
<div>
Maybe I am ready when the other steps are;-)
</div></div></blockquote><div><br></div><div>I agree with not deleting the old contents. Just because it is old and no longer developed does not mean that it is not used. Velthuis Devanagari is no longer developed but it still has its users because there are quite a lot of documents which have to be processed and cannot be converted easily to newer SW tools.</div><div><br></div><div>Step 2 is not easy. Anybody can generate a GPG key with a false identity. I can find a fingerprint of Norbert's key in many e-mails and I met Norbert many years ago personally thus I am sure that he is a real person but in many cases I know only names and I have no evidence that these are real persons (most probably they are but you are never sure). So to be sure, the identity of the uploaded GPG key should be verified by independent means.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div>
</div>
<div>
[...]
</div>
<blockquote type="cite">
<div>
PS: We need volunteers to implement steps 1-3, step 4 I can do. The rest
</div>
<div>
is already done.
</div>
</blockquote>
<div>
</div></div></blockquote><div><div dir="ltr"><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Zdeněk Wagner</div><div><a href="https://www.zdenek-wagner.eu/" target="_blank">https://www.zdenek-wagner.eu/</a></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div></div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div>
<p><i>Ciao<br>Gerd <br></i><span style="color:rgb(153,153,153)">(<a href="mailto:webmaster@ctan.org" target="_blank">webmaster@ctan.org</a>)</span></p>
</div>
</div>
</blockquote></div></div>