3

To what extent is the code of the packages included in tex distributions reviewed with respect to malicious code.

This is with respect to what is posted in documentation as well as what is actually used in the distribution.

kando
  • 1,338
  • What is malicious code? Changing the windows registry? Phishing? Hardly possible with TeX code directly. –  Nov 19 '15 at 18:06
  • Is your question related to the question of how safe it is to compile other's people code? If so, you could have a look at Don't Take LaTeX Files from Strangers, an article. – Clément Nov 19 '15 at 18:29
  • @Clément -- the link you give here for Don't Take ... doesn't deliver; the link you gave in the comment on the other question does. – barbara beeton Nov 19 '15 at 19:01
  • 1
    @barbarabeeton Oh, thanks for pointing that. Sorry, here it is : http://c59951.r51.cf2.rackcdn.com/5670-73506-checkoway.pdf – Clément Nov 19 '15 at 19:06
  • @Clément I have read this, actually. This isn't a question of running some rando's code using the Tex Live distribution; this is a question about the code included in the Tex Live distribution itself. – kando Nov 19 '15 at 21:43
  • 1
    @ChristianHupfer Really? What do you mean by 'directly'? If you run LuaTeX or ConTeXt (or you run another engine, of course, with shell escape), then, certainly, that stuff is possible so far as the TeX code is concerned. Of course, you shouldn't be running with the privileges required to change the registry, but that is a matter for the OS and not anything about TeX. – cfr Dec 13 '15 at 23:56
  • @cfr: I don't care really about LuaLaTeX or ConTeXt. You can do weird things with shell escape as well, if you run a script. But that's a OS breach. –  Dec 14 '15 at 10:04

1 Answers1

4

Simple answer at least for TeX Live: no review. Reviewing daily tens of package updates is impossible.

We do review packages/programs that we put into the shell escape allow list, but nothing else.

cfr
  • 198,882
norbert
  • 8,235
  • 1
    And if you use LuaTeX or ConTeXt then it really doesn't matter whether it is in the shell-escape allow-list or not.... – cfr Dec 13 '15 at 23:53
  • 1
    If a package required a non-standard installation method, would that either cause it to be excluded or cause it to be scrutinised? (I can't imagine quite how this would go, but I'm assuming this would cause either exclusion or scrutiny based on what I know about how packages get added to TL.) – cfr Dec 13 '15 at 23:59
  • Easy to check, look at the ctan2tds script in the TL svn Master/tlpg/libexec/, it contains special routines for hundreds of packages. We don't check the content, only that it is properly installed. And license. – norbert Dec 15 '15 at 00:38
  • Here? Are the routines in something? Are you really saying that if I claim my package needs to run mydestructivescript.sh in order to be installed correctly, you'll just add it? I assume that you've misunderstood what I had in mind. I'm not talking about you including mydestructivescript.sh in the distribution. I'm talking about running it as part of tlmgr updating the installation or as part of the initial installation. – cfr Dec 15 '15 at 01:13
  • Yes, the location is correct, look at ctan2tds. Concerning the script - of course we don't run any package supplied scripts, we only ship them. The code that is executed by tlmgr is solely written by us. – norbert Dec 15 '15 at 08:03
  • That's all I meant. – cfr Dec 15 '15 at 15:06