[tlbuild] wget in TL now needs https
Henri Menke
henri at henrimenke.de
Tue Apr 27 11:54:10 CEST 2021
On 27/04/21, 10:19, Mojca Miklavec wrote:
> On Tue, 27 Apr 2021 at 09:01, Henri Menke wrote:
> >
> > With a
> > default --no-check-certificates, HTTPS is just worthless and not worth
> > the hassle.
>
> If we don't pass --no-check-certificate, who is going to maintain an
> up-to-date database of valid certificates for TeX Live?
Uhm, by doing what literally every Linux distribution does, which is
using the Mozilla certificate bundle?
Here are the Debian source files:
https://salsa.debian.org/debian/ca-certificates/-/tree/master/mozilla
Running certdata2pem.py will produce one file for each certificate but
you can also just concatenate them all into one file.
Other source which do the same but slightly different:
https://src.fedoraproject.org/rpms/ca-certificates/tree/rawhide
https://github.com/archlinux/svntogit-packages/blob/packages/nss/trunk/PKGBUILD
https://github.com/NixOS/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix
https://build.opensuse.org/package/show/openSUSE:Factory/ca-certificates-mozilla
Cheers, Henri
> Yes, by enforcing HTTPS and then explicitly requesting to
> ignore/override all the security measures implemented inside HTTPS, we
> are effectively at the same security level as via HTTP, and it's
> certainly more difficult to compile wget in a proper way.
>
> But I guess that at least the browsers will be happy then?
>
> (At MacPorts we deliberately run all the mirrors via HTTP and rsync only.)
>
> > That said, why do CTAN mirrors even need HTTPS? The tlmgr database is
> > signed and the signature is checked before doing anything, so even if
> > someone managed to MITM a mirror, there is no way to inject malicious
> > binaries, because the signing key is not available.
>
> Precisely.
> (But in my opinion it's actually worse: why would you even bother
> going through the hassle of doing a MITM on an existing mirror when
> you can simply set up a mirror yourself and serve malware over a
> perfectly valid certificate?)
>
> I guess CTAN did that because browsers tend to annoy you more and more
> if you use plain HTTP, and I blindly guess that some CTAN browsing
> experience became broken at some point (in particular, downloading a
> file from HTTP when the main site uses HTTPS may stop working).
>
> Mojca
More information about the tlbuild
mailing list.