[tlbuild] wget in TL now needs https

Mojca Miklavec mojca.miklavec.lists at gmail.com
Tue Apr 27 10:19:15 CEST 2021

On Tue, 27 Apr 2021 at 09:01, Henri Menke wrote:
> With a
> default --no-check-certificates, HTTPS is just worthless and not worth
> the hassle.

If we don't pass --no-check-certificate, who is going to maintain an
up-to-date database of valid certificates for TeX Live?
Yes, by enforcing HTTPS and then explicitly requesting to
ignore/override all the security measures implemented inside HTTPS, we
are effectively at the same security level as via HTTP, and it's
certainly more difficult to compile wget in a proper way.

But I guess that at least the browsers will be happy then?

(At MacPorts we deliberately run all the mirrors via HTTP and rsync only.)

> That said, why do CTAN mirrors even need HTTPS? The tlmgr database is
> signed and the signature is checked before doing anything, so even if
> someone managed to MITM a mirror, there is no way to inject malicious
> binaries, because the signing key is not available.

(But in my opinion it's actually worse: why would you even bother
going through the hassle of doing a MITM on an existing mirror when
you can simply set up a mirror yourself and serve malware over a
perfectly valid certificate?)

I guess CTAN did that because browsers tend to annoy you more and more
if you use plain HTTP, and I blindly guess that some CTAN browsing
experience became broken at some point (in particular, downloading a
file from HTTP when the main site uses HTTPS may stop working).


More information about the tlbuild mailing list.