<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
</div>
<blockquote type="cite">
<div>
On 06/05/2024 15:11 CEST Norbert Preining <<a href="mailto:norbert@preining.info">norbert@preining.info</a>> wrote:
</div>
<div>
</div>
<div>
</div>
<div>
On Mon, 06 May 2024, Jonathan Fine wrote:
</div>
<blockquote type="cite">
<div>
This suggests that providing a secure and trusted supply chain for fonts,
</div>
<div>
macros and other resources would help the managers of non-human TeX users.
</div>
</blockquote>
<div>
I always ask the same thing, not only you, but also in meetings at work:
</div>
<div>
What is an actionable item you propose?
</div>
<div>
Jonathan, you are a master of "abstract" proposals without any
</div>
<div>
actionable steps. So let me help you here:
</div>
<div>
</div>
<div>
- step 1: all authors of CTAN packages are required to create GPG keys
</div>
<div>
and register their public keys with a (to be created) key server at
</div>
<div>
CTAN
</div>
<div>
- step 2: all uploads to CTAN needs to be sign with a registered GPG key
</div>
<div>
- step 3: uploaded packages that have no signature get a "slack time" of
</div>
<div>
1 year, after which they will be removed from CTAN
</div>
</blockquote>
<div>
</div>
<div class="default-style">
I think we have a lot of orphanted packages on CTAN. Sometimes the author has simply lost interest or has even died. I am not sure whether it would be a good service to the TeX community to eliminate this historical knowledge.
</div>
<div class="default-style">
Currently we have a directory "obsolete" where everything is moved to which should otherwise be deleted. Thus step 3 should be reconsidered. Primarily we encourage people to publish packages and not to delete them.
</div>
<div class="default-style">
</div>
<div class="default-style">
Step 2 is somehow my domain. I am working on a next major release of the CTAN site (too long already and too slow). Allowing only signed uploads might fit in there.
</div>
<div class="default-style">
Maybe I am ready when the other steps are;-)
</div>
<div class="default-style">
</div>
<div class="default-style">
[...]
</div>
<blockquote type="cite">
<div>
PS: We need volunteers to implement steps 1-3, step 4 I can do. The rest
</div>
<div>
is already done.
</div>
</blockquote>
<div>
</div>
<div class="io-ox-signature">
<p><em>Ciao<br>Gerd <br></em><span style="color: #999999;">(webmaster@ctan.org)</span></p>
</div>
</body>
</html>