[tlbuild] wget in TL now needs https

Henri Menke henri at henrimenke.de
Tue Apr 27 11:54:10 CEST 2021

On 27/04/21, 10:19, Mojca Miklavec wrote:
> On Tue, 27 Apr 2021 at 09:01, Henri Menke wrote:
> >
> > With a
> > default --no-check-certificates, HTTPS is just worthless and not worth
> > the hassle.
> If we don't pass --no-check-certificate, who is going to maintain an
> up-to-date database of valid certificates for TeX Live?

Uhm, by doing what literally every Linux distribution does, which is
using the Mozilla certificate bundle?

Here are the Debian source files:
Running certdata2pem.py will produce one file for each certificate but
you can also just concatenate them all into one file.

Other source which do the same but slightly different:

Cheers, Henri

> Yes, by enforcing HTTPS and then explicitly requesting to
> ignore/override all the security measures implemented inside HTTPS, we
> are effectively at the same security level as via HTTP, and it's
> certainly more difficult to compile wget in a proper way.
> But I guess that at least the browsers will be happy then?
> (At MacPorts we deliberately run all the mirrors via HTTP and rsync only.)
> > That said, why do CTAN mirrors even need HTTPS? The tlmgr database is
> > signed and the signature is checked before doing anything, so even if
> > someone managed to MITM a mirror, there is no way to inject malicious
> > binaries, because the signing key is not available.
> Precisely.
> (But in my opinion it's actually worse: why would you even bother
> going through the hassle of doing a MITM on an existing mirror when
> you can simply set up a mirror yourself and serve malware over a
> perfectly valid certificate?)
> I guess CTAN did that because browsers tend to annoy you more and more
> if you use plain HTTP, and I blindly guess that some CTAN browsing
> experience became broken at some point (in particular, downloading a
> file from HTTP when the main site uses HTTPS may stop working).
> Mojca

More information about the tlbuild mailing list.