[tex-live] GPG message using tlpretest on OSX

Zdenek Wagner zdenek.wagner at gmail.com
Tue Apr 19 01:56:18 CEST 2016


2016-04-18 23:36 GMT+02:00 Angelo Graziosi <angelo.graziosi at alice.it>:

>
>
> Il 18/04/2016 22:59, Reinhard Kotucha ha scritto:
>
>> On 2016-04-18 at 21:57:04 +0200, Angelo Graziosi wrote:
>>
>>   > Norbert Preining wrote:
>>   > > Are you ready to defend TUG in front of an US court? If not, please
>>   > > stop bothering us.
>>   >
>>   > I am afraid bothering you, but this is one more reason to remove this
>>   > from TL2016...
>>
>> No, this can never be a reason.
>>
>> And even if you can convince Norbert to add an option which allows to
>> control this behavior, everything which enhances security has to be
>> turned on by default.  Always.
>>
>> It seems that you prefer convenience to security.  Not a good idea,
>>
>
> No, I don't prefer convenience but you are changing the policy of TL.
>
> It was to make TL as much as possible self-contained adding programs it
> needs in the distribution. Only rarely you allowed that someone of those
> program were already installed on the OS..
>
> Now, you not only do not add the program (for any noble reason that you
> want) but also allow for it to not be installed or not available from the
> OS. It is the first time I "hear" this kind of argument on this list..
>
> If you want add that, it should be off by default. Then you can say:
>
>  Dear user, have you installed gpg? May you install it? yes? do you want
> to check for security? yes? then enable it with:
>
> tlmgr option gpg 1
>
>
> What is the logic of installing something that then, perhaps, you can not
> use?
>
> This is my opinion.
>
> Do you like that? DO that, but it is only a security illusion..
>

I have reread your original e-mail again. I do not see any complaint made
by tlmgr, there is not even a warning, it just informs that gpg was not
found and prvcessing continues. It does not pretend to work securely, so I
do not see any illusion. The current behaviour is useful for those who know
what gpg is, are able to install software and thus get more security.
Without this message these people will not know that it is worth to install
gpg. Do you really want to keep people uninformed and let them use less
security although more secure way is readily available?

>
>
>  Angelo
>



Zdeněk Wagner
http://ttsm.icpf.cas.cz/team/wagner.shtml
http://icebearsoft.euweb.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tug.org/pipermail/tex-live/attachments/20160419/0c015099/attachment-0001.html>


More information about the tex-live mailing list