Testing Hardened Runtime in Basic TeX

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Testing Hardened Runtime in Basic TeX

Richard Koch-2
Folks,

I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:

a) Download the following install package, which has size 105 MB

        https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg

2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019

3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.

I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.

Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.

Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.

--------------------------

Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.

The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.

The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.

--------------------------

When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."

Those days are long gone.

In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.

If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.

However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.

So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.

Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.

The full list of restrictions and exceptions is available from Apple:

     https://developer.apple.com/documentation/security/hardened_runtime_entitlements#

Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.

--------------------------

Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.


Richard Koch
[hidden email]
----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

R Martinez
Dick,

Great explanation about hardened code and security considerations. Thanks for taking the time to explain all this and especially for providing historical context.

Best wishes,

Raúl Martínez



Best wishes,

Raúl

> On May 17, 2019, at 2:38 PM, Richard Koch <[hidden email]> wrote:
>
> Folks,
>
> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>
> a) Download the following install package, which has size 105 MB
>
>    https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>
> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>
> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>
> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>
> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>
> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>
> --------------------------
>
> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>
> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>
> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>
> --------------------------
>
> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>
> Those days are long gone.
>
> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>
> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>
> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>
> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>
> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>
> The full list of restrictions and exceptions is available from Apple:
>
>     https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>
> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>
> --------------------------
>
> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>
>
> Richard Koch
> [hidden email]
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Murray Eisenberg
In reply to this post by Richard Koch-2
I’m using many packages with MacTeX 2019, some of which may not be part of BasicTeX.

Will BasicTeX-2019-Hardened still allow on-the-fly downloading of packages not already distributed with it?

> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>
> Folks,
>
> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>
> a) Download the following install package, which has size 105 MB
>
> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>
> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>
> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>
> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>
> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>
> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>
> --------------------------
>
> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>
> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>
> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>
> --------------------------
>
> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>
> Those days are long gone.
>
> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>
> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>
> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>
> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>
> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>
> The full list of restrictions and exceptions is available from Apple:
>
>     https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>
> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>
> --------------------------
>
> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>
>
> Richard Koch
> [hidden email]
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Richard Koch-2
Yes, and that will not interfere with the test. Very useful if you do this.

Dick Koch



> On May 17, 2019, at 2:50 PM, Murray Eisenberg <[hidden email]> wrote:
>
> I’m using many packages with MacTeX 2019, some of which may not be part of BasicTeX.
>
> Will BasicTeX-2019-Hardened still allow on-the-fly downloading of packages not already distributed with it?
>
>> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>>
>> Folks,
>>
>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>>
>> a) Download the following install package, which has size 105 MB
>>
>> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>>
>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>>
>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>>
>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>>
>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>>
>> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>>
>> --------------------------
>>
>> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
>> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>>
>> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>>
>> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>>
>> --------------------------
>>
>> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>>
>> Those days are long gone.
>>
>> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>>
>> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>>
>> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>>
>> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>>
>> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>>
>> The full list of restrictions and exceptions is available from Apple:
>>
>>    https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>>
>> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>>
>> --------------------------
>>
>> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>>
>>
>> Richard Koch
>> [hidden email]
>> ----------- Please Consult the Following Before Posting -----------
>> TeX FAQ: http://www.tex.ac.uk/faq
>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>               https://email.esm.psu.edu/pipermail/macosx-tex/
>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
>
> ---
> Murray Eisenberg [hidden email]
> 503 King Farm Blvd #101 Home (240)-246-7240
> Rockville, MD 20850-6667 Mobile (413)-427-5334
>
>
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
>

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Ettore Aldrovandi
In reply to this post by Richard Koch-2
Dick,

excellent, very useful, explanation. Thank you,

—Ettore

Ettore Aldrovandi
Department of Mathematics, Florida State University
1017 Academic Way                *   http://www.math.fsu.edu/~ealdrov
Tallahassee, FL 32306-4510, USA * * aldrovandi at math dot fsu dot edu

On May 17, 2019, at 17:38, Richard Koch <[hidden email]> wrote:

Folks,

I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:

a) Download the following install package, which has size 105 MB

https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg

2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019

3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.

I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.

Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.

Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.

--------------------------

Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.

The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.

The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.

--------------------------

When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."

Those days are long gone.

In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.

If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.

However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.

So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.

Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.

The full list of restrictions and exceptions is available from Apple:

    https://developer.apple.com/documentation/security/hardened_runtime_entitlements#

Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.

--------------------------

Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.


Richard Koch
[hidden email]
----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
               https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex



----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

facenda
In reply to this post by Richard Koch-2
I have just installed on my MacBookPro (macOS Mojave 10.14.4) BasicTeX-2019-Hardened, but when I compiled a file that calls a package not included in this distribution, I get an error and the package is not installed.
Any help would be very appreciated.

José A. Facenda
Universidad de Sevilla

Log File:

This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019) (preloaded format=pdflatex)
 restricted \write18 enabled.
entering extended mode
(./final1_sol.tex
LaTeX2e <2018-12-01>
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/article.cls
Document Class: article 2018/09/03 v1.4i Standard LaTeX document class
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/size11.clo))
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsmath.sty
For additional information on amsmath, use the `?' option.

(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amstext.sty
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsgen.sty)
)
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsbsy.sty)
 (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsopn.sty
))
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amssymb.st
y
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amsfonts.s
ty))
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/mdwtools/mdwlist.st
y)

! LaTeX Error: File `framed.sty' not found.

Type X to quit or <RETURN> to proceed,
or enter new name. (Default extension: sty)

Enter file name: x



El 18 may 2019, a las 1:00, Richard Koch <[hidden email]> escribió:

Yes, and that will not interfere with the test. Very useful if you do this.

Dick Koch



On May 17, 2019, at 2:50 PM, Murray Eisenberg <[hidden email]> wrote:

I’m using many packages with MacTeX 2019, some of which may not be part of BasicTeX.

Will BasicTeX-2019-Hardened still allow on-the-fly downloading of packages not already distributed with it?

On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:

Folks,

I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:

a) Download the following install package, which has size 105 MB

https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg

2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019

3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.

I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.

Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.

Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.

--------------------------

Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.

The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.

The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.

--------------------------

When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."

Those days are long gone.

In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.

If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.

However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.

So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.

Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.

The full list of restrictions and exceptions is available from Apple:

  https://developer.apple.com/documentation/security/hardened_runtime_entitlements#

Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.

--------------------------

Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.


Richard Koch
[hidden email]
----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
             https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
              https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
               https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Herbert Schulz
> On May 18, 2019, at 6:18 AM, José Antonio Facenda Aguirre <[hidden email]> wrote:
>
> I have just installed on my MacBookPro (macOS Mojave 10.14.4) BasicTeX-2019-Hardened, but when I compiled a file that calls a package not included in this distribution, I get an error and the package is not installed.
> Any help would be very appreciated.
>
> José A. Facenda
> Universidad de Sevilla
>
> Log File:
>
> This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019) (preloaded format=pdflatex)
>  restricted \write18 enabled.
> entering extended mode
> (./final1_sol.tex
> LaTeX2e <2018-12-01>
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/article.cls
> Document Class: article 2018/09/03 v1.4i Standard LaTeX document class
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/size11.clo))
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsmath.sty
> For additional information on amsmath, use the `?' option.
>
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amstext.sty
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsgen.sty)
> )
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsbsy.sty)
>  (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsopn.sty
> ))
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amssymb.st
> y
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amsfonts.s
> ty))
> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/mdwtools/mdwlist.st
> y)
>
> ! LaTeX Error: File `framed.sty' not found.
>
> Type X to quit or <RETURN> to proceed,
> or enter new name. (Default extension: sty)
>
> Enter file name: x
>
>
>
>> El 18 may 2019, a las 1:00, Richard Koch <[hidden email]> escribió:
>>
>> Yes, and that will not interfere with the test. Very useful if you do this.
>>
>> Dick Koch
>>
>>
>>
>>> On May 17, 2019, at 2:50 PM, Murray Eisenberg <[hidden email]> wrote:
>>>
>>> I’m using many packages with MacTeX 2019, some of which may not be part of BasicTeX.
>>>
>>> Will BasicTeX-2019-Hardened still allow on-the-fly downloading of packages not already distributed with it?
>>>
>>>> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>>>>
>>>> Folks,
>>>>
>>>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>>>>
>>>> a) Download the following install package, which has size 105 MB
>>>>
>>>> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>>>>
>>>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>>>>
>>>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>>>>
>>>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>>>>
>>>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>>>>
>>>> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>>>>
>>>> --------------------------
>>>>
>>>> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
>>>> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>>>>
>>>> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>>>>
>>>> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>>>>
>>>> --------------------------
>>>>
>>>> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>>>>
>>>> Those days are long gone.
>>>>
>>>> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>>>>
>>>> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>>>>
>>>> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>>>>
>>>> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>>>>
>>>> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>>>>
>>>> The full list of restrictions and exceptions is available from Apple:
>>>>
>>>>   https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>>>>
>>>> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>>>>
>>>> --------------------------
>>>>
>>>> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>>>>
>>>>
>>>> Richard Koch
>>>> [hidden email]

Howdy,

You can use TeX Live Utility to install packages that are missing. Use the Packages tab to see the complete list and select the ones you need and have TLU install them.

Good Luck,

Herb Schulz
(herbs at wideopenwest dot com)

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

facenda
Ok, but I think that this work was automatically done by BasicTeX.
Many thanks,
José A. Facenda

El 18 may 2019, a las 13:38, Herbert Schulz <[hidden email]> escribió:

On May 18, 2019, at 6:18 AM, José Antonio Facenda Aguirre <[hidden email]> wrote:

I have just installed on my MacBookPro (macOS Mojave 10.14.4) BasicTeX-2019-Hardened, but when I compiled a file that calls a package not included in this distribution, I get an error and the package is not installed.
Any help would be very appreciated.

José A. Facenda
Universidad de Sevilla

Log File:

This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019) (preloaded format=pdflatex)
restricted \write18 enabled.
entering extended mode
(./final1_sol.tex
LaTeX2e <2018-12-01>
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/article.cls
Document Class: article 2018/09/03 v1.4i Standard LaTeX document class
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/size11.clo))
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsmath.sty
For additional information on amsmath, use the `?' option.

(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amstext.sty
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsgen.sty)
)
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsbsy.sty)
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsopn.sty
))
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amssymb.st
y
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amsfonts.s
ty))
(/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/mdwtools/mdwlist.st
y)

! LaTeX Error: File `framed.sty' not found.

Type X to quit or <RETURN> to proceed,
or enter new name. (Default extension: sty)

Enter file name: x



El 18 may 2019, a las 1:00, Richard Koch <[hidden email]> escribió:

Yes, and that will not interfere with the test. Very useful if you do this.

Dick Koch



On May 17, 2019, at 2:50 PM, Murray Eisenberg <[hidden email]> wrote:

I’m using many packages with MacTeX 2019, some of which may not be part of BasicTeX.

Will BasicTeX-2019-Hardened still allow on-the-fly downloading of packages not already distributed with it?

On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:

Folks,

I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:

a) Download the following install package, which has size 105 MB

https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg

2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019

3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.

I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.

Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.

Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.

--------------------------

Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages. 

The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.

The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.

--------------------------

When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."

Those days are long gone.

In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.

If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.

However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.

So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.

Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.

The full list of restrictions and exceptions is available from Apple:

 https://developer.apple.com/documentation/security/hardened_runtime_entitlements#

Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.

--------------------------

Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.


Richard Koch
[hidden email]

Howdy,

You can use TeX Live Utility to install packages that are missing. Use the Packages tab to see the complete list and select the ones you need and have TLU install them.

Good Luck,

Herb Schulz
(herbs at wideopenwest dot com)

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
               https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Richard Koch-2
No. MikTeX on Windows will do that, but not BasicTeX or other distributions based on TeX Live.
So this is not a "hardened runtime" problem.

Dick Koch

> On May 18, 2019, at 4:41 AM, José Antonio Facenda Aguirre <[hidden email]> wrote:
>
> Ok, but I think that this work was automatically done by BasicTeX.
> Many thanks,
> José A. Facenda
>
>> El 18 may 2019, a las 13:38, Herbert Schulz <[hidden email]> escribió:
>>
>>> On May 18, 2019, at 6:18 AM, José Antonio Facenda Aguirre <[hidden email]> wrote:
>>>
>>> I have just installed on my MacBookPro (macOS Mojave 10.14.4) BasicTeX-2019-Hardened, but when I compiled a file that calls a package not included in this distribution, I get an error and the package is not installed.
>>> Any help would be very appreciated.
>>>
>>> José A. Facenda
>>> Universidad de Sevilla
>>>
>>> Log File:
>>>
>>> This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019) (preloaded format=pdflatex)
>>> restricted \write18 enabled.
>>> entering extended mode
>>> (./final1_sol.tex
>>> LaTeX2e <2018-12-01>
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/article.cls
>>> Document Class: article 2018/09/03 v1.4i Standard LaTeX document class
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/base/size11.clo))
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsmath.sty
>>> For additional information on amsmath, use the `?' option.
>>>
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amstext.sty
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsgen.sty)
>>> )
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsbsy.sty)
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsmath/amsopn.sty
>>> ))
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amssymb.st
>>> y
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/amsfonts/amsfonts.s
>>> ty))
>>> (/usr/local/texlive/2019basic-hardened/texmf-dist/tex/latex/mdwtools/mdwlist.st
>>> y)
>>>
>>> ! LaTeX Error: File `framed.sty' not found.
>>>
>>> Type X to quit or <RETURN> to proceed,
>>> or enter new name. (Default extension: sty)
>>>
>>> Enter file name: x
>>>
>>>
>>>
>>>> El 18 may 2019, a las 1:00, Richard Koch <[hidden email]> escribió:
>>>>
>>>> Yes, and that will not interfere with the test. Very useful if you do this.
>>>>
>>>> Dick Koch
>>>>
>>>>
>>>>
>>>>> On May 17, 2019, at 2:50 PM, Murray Eisenberg <[hidden email]> wrote:
>>>>>
>>>>> I’m using many packages with MacTeX 2019, some of which may not be part of BasicTeX.
>>>>>
>>>>> Will BasicTeX-2019-Hardened still allow on-the-fly downloading of packages not already distributed with it?
>>>>>
>>>>>> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>>>>>>
>>>>>> Folks,
>>>>>>
>>>>>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>>>>>>
>>>>>> a) Download the following install package, which has size 105 MB
>>>>>>
>>>>>> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>>>>>>
>>>>>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>>>>>>
>>>>>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>>>>>>
>>>>>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>>>>>>
>>>>>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>>>>>>
>>>>>> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>>>>>>
>>>>>> --------------------------
>>>>>>
>>>>>> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
>>>>>> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>>>>>>
>>>>>> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>>>>>>
>>>>>> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>>>>>>
>>>>>> --------------------------
>>>>>>
>>>>>> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>>>>>>
>>>>>> Those days are long gone.
>>>>>>
>>>>>> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>>>>>>
>>>>>> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>>>>>>
>>>>>> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>>>>>>
>>>>>> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>>>>>>
>>>>>> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>>>>>>
>>>>>> The full list of restrictions and exceptions is available from Apple:
>>>>>>
>>>>>>  https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>>>>>>
>>>>>> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>>>>>>
>>>>>> --------------------------
>>>>>>
>>>>>> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>>>>>>
>>>>>>
>>>>>> Richard Koch
>>>>>> [hidden email]
>>
>> Howdy,
>>
>> You can use TeX Live Utility to install packages that are missing. Use the Packages tab to see the complete list and select the ones you need and have TLU install them.
>>
>> Good Luck,
>>
>> Herb Schulz
>> (herbs at wideopenwest dot com)
>>
>> ----------- Please Consult the Following Before Posting -----------
>> TeX FAQ: http://www.tex.ac.uk/faq
>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>                https://email.esm.psu.edu/pipermail/macosx-tex/
>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
>
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Vic Norton
In reply to this post by Richard Koch-2
I have been using MacTeX for years. Everything works perfectly. I am now running macOS_10.14.4 and MacTeX_2019 with TeXShop_4.27.

This is the first I’ve heard of BasicTeX. Is there any reason I should download and install this package?

Vic Norton

> On May 17, 2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>
> Folks,
>
> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>
> a) Download the following install package, which has size 105 MB
>
> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Murray Eisenberg
In reply to this post by Richard Koch-2
Although you say that installing BasicTeX-2019-Hardened will not overwrite MacTeX-2019, could you clarify some aspects of that claim?

(1) Will existing GUI apps in /Applications/TeX, such as TeXShop.app, TeX Live Utility.app, be overrwitten?

        What about existing ~/Library/texlive/2019, ~/Library/TeXShop ? (Also see #2, below.)

(2) Installing BasicTeX-2019-Hardened must change the symbolic links  /Library/TeX/texbin and, I presume, /Library/TeX/Documentation, /Library/TeX/Root, and /Library/TeX/Distributions/Programs/texbin.

        Any others?

(3) If I need to revert to the regular (full) MacTeX-2019 already installed, is there anything else I need to do besides changing those symbolic links back?


> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>
> Folks,
>
> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>
> a) Download the following install package, which has size 105 MB
>
> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>
> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>
> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>
> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>
> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>
> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>
> --------------------------
>
> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>
> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>
> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>
> --------------------------
>
> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>
> Those days are long gone.
>
> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>
> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>
> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>
> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>
> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>
> The full list of restrictions and exceptions is available from Apple:
>
>     https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>
> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>
> --------------------------
>
> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>
>
> Richard Koch
> [hidden email]
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Richard Koch-2
Gosh, we work for years on this stuff, and then it turns out that users are oblivious to it.  (No criticism, just a little astonishment!)

1) BasicTeX does not install GUI apps. It just installs a TeX Distribution. Your current GUI apps work fine with it.

2) BasicTeX is installed in /usr/local/texlive/2019basic. BasicTeX-2019-Hardened is installed in /usr/local/texlive/2019basic-hardened. The full TeX Live 20129 is in /usr/local/texlive/2019.

3) All TeX Distributions from us share ~/Library/texmf

4) Sometimes TeX Distributions need to write information (like font data) when being run by a user in user mode. They do this using special folders in ~/Library/texlive. Each distribution has two folders here for different kinds of data. The full TeX Live 2019's folders in the location are 2019/texmf-var and 2019/texmf-config. For BasicTeX this year, they are 2019basic/texmf-var and 2019basic/texmf-config. The hardened versions us 2019basic-hardened/texmf-var and 2019basic-hardened/texmf-config. All very systematic.

5) Long ago, Gerben Wierda and Jerome Laurens invented a "TeXDist data structure". Every one of our TeX Live based distributions has data there. Also, /Library/TeX/texbin, /Library,TeX/Documentation, /Library/TeX/Root point into this data structure. In particular, TeXLive-2018, TeXLive-2019, BasicTeX-2018, BasicTeX-2019, and BasicTeX-2019-Hardened each have sections of data there.

6) Remember long ago when Jerome Laurens had a Preference Pane which switched the active data? This pane actually switched a symbolic link in the TeX Dist data (NOT /Library/TeX/texbin, but some more hidden link).
Switching this link automatically switched EVERYTHING, so your GUI apps, the command line, and everything suddenly used a different TeX Distribution.

7) More recently, TeX Live Utility is used to switch the default TeX distribution. It does exactly the same thing that the old Preference Pane did. The pane is now obsolete because Apple kept switching the standards which Pref Panes need to use: universal-binary, then 32-bit Intel, then 64-bit intel with Garbage Collection, then 64-bit Intel without Garbage Collection but using Automatic Reference Counting. That's because Pref Panes are plug ins for Apple's Preference Pane application, so any change in that application changed how Pref Panes work. So we switched to TeX Live Utility.

8) So the answer to your full set of questions is that you can switch between TeXLive-2019 and BasicTeX-2019-Hardened exactly like you currently switch between TeXLive-2018 and TeXLive-2019.

Dick Koch
koch@uoregon,edu





> On May 18, 2019, at 12:33 PM, Murray Eisenberg <[hidden email]> wrote:
>
> Although you say that installing BasicTeX-2019-Hardened will not overwrite MacTeX-2019, could you clarify some aspects of that claim?
>
> (1) Will existing GUI apps in /Applications/TeX, such as TeXShop.app, TeX Live Utility.app, be overrwitten?
>
> What about existing ~/Library/texlive/2019, ~/Library/TeXShop ? (Also see #2, below.)
>
> (2) Installing BasicTeX-2019-Hardened must change the symbolic links  /Library/TeX/texbin and, I presume, /Library/TeX/Documentation, /Library/TeX/Root, and /Library/TeX/Distributions/Programs/texbin.
>
> Any others?
>
> (3) If I need to revert to the regular (full) MacTeX-2019 already installed, is there anything else I need to do besides changing those symbolic links back?
>
>
>> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>>
>> Folks,
>>
>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>>
>> a) Download the following install package, which has size 105 MB
>>
>> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>>
>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>>
>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>>
>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>>
>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>>
>> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>>
>> --------------------------
>>
>> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
>> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>>
>> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>>
>> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>>
>> --------------------------
>>
>> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>>
>> Those days are long gone.
>>
>> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>>
>> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>>
>> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>>
>> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>>
>> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>>
>> The full list of restrictions and exceptions is available from Apple:
>>
>>    https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>>
>> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>>
>> --------------------------
>>
>> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>>
>>
>> Richard Koch
>> [hidden email]
>> ----------- Please Consult the Following Before Posting -----------
>> TeX FAQ: http://www.tex.ac.uk/faq
>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>               https://email.esm.psu.edu/pipermail/macosx-tex/
>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
>
> ---
> Murray Eisenberg [hidden email]
> 503 King Farm Blvd #101 Home (240)-246-7240
> Rockville, MD 20850-6667 Mobile (413)-427-5334
>
>
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Murray Eisenberg
Thanks for the reassuring clarification.

My concern about the GUIs was due solely to never having directly installed any TeXLive distribution, only MacTeX distributions, in the past.

I was aware, of course, that the TeXLive Utility can do distribution switching.

So I did install BasicTeX-2019-Hardened (alongside TeXLive-2019) and found that the TeXLive Utility had already automatically switched to the latter.



> On 18 May2019, at 4:06 PM, Richard Koch <[hidden email]> wrote:
>
> Gosh, we work for years on this stuff, and then it turns out that users are oblivious to it.  (No criticism, just a little astonishment!)
>
> 1) BasicTeX does not install GUI apps. It just installs a TeX Distribution. Your current GUI apps work fine with it.
>
> 2) BasicTeX is installed in /usr/local/texlive/2019basic. BasicTeX-2019-Hardened is installed in /usr/local/texlive/2019basic-hardened. The full TeX Live 20129 is in /usr/local/texlive/2019.
>
> 3) All TeX Distributions from us share ~/Library/texmf
>
> 4) Sometimes TeX Distributions need to write information (like font data) when being run by a user in user mode. They do this using special folders in ~/Library/texlive. Each distribution has two folders here for different kinds of data. The full TeX Live 2019's folders in the location are 2019/texmf-var and 2019/texmf-config. For BasicTeX this year, they are 2019basic/texmf-var and 2019basic/texmf-config. The hardened versions us 2019basic-hardened/texmf-var and 2019basic-hardened/texmf-config. All very systematic.
>
> 5) Long ago, Gerben Wierda and Jerome Laurens invented a "TeXDist data structure". Every one of our TeX Live based distributions has data there. Also, /Library/TeX/texbin, /Library,TeX/Documentation, /Library/TeX/Root point into this data structure. In particular, TeXLive-2018, TeXLive-2019, BasicTeX-2018, BasicTeX-2019, and BasicTeX-2019-Hardened each have sections of data there.
>
> 6) Remember long ago when Jerome Laurens had a Preference Pane which switched the active data? This pane actually switched a symbolic link in the TeX Dist data (NOT /Library/TeX/texbin, but some more hidden link).
> Switching this link automatically switched EVERYTHING, so your GUI apps, the command line, and everything suddenly used a different TeX Distribution.
>
> 7) More recently, TeX Live Utility is used to switch the default TeX distribution. It does exactly the same thing that the old Preference Pane did. The pane is now obsolete because Apple kept switching the standards which Pref Panes need to use: universal-binary, then 32-bit Intel, then 64-bit intel with Garbage Collection, then 64-bit Intel without Garbage Collection but using Automatic Reference Counting. That's because Pref Panes are plug ins for Apple's Preference Pane application, so any change in that application changed how Pref Panes work. So we switched to TeX Live Utility.
>
> 8) So the answer to your full set of questions is that you can switch between TeXLive-2019 and BasicTeX-2019-Hardened exactly like you currently switch between TeXLive-2018 and TeXLive-2019.
>
> Dick Koch
> koch@uoregon,edu
>
>
>
>
>
>> On May 18, 2019, at 12:33 PM, Murray Eisenberg <[hidden email]> wrote:
>>
>> Although you say that installing BasicTeX-2019-Hardened will not overwrite MacTeX-2019, could you clarify some aspects of that claim?
>>
>> (1) Will existing GUI apps in /Applications/TeX, such as TeXShop.app, TeX Live Utility.app, be overrwitten?
>>
>> What about existing ~/Library/texlive/2019, ~/Library/TeXShop ? (Also see #2, below.)
>>
>> (2) Installing BasicTeX-2019-Hardened must change the symbolic links  /Library/TeX/texbin and, I presume, /Library/TeX/Documentation, /Library/TeX/Root, and /Library/TeX/Distributions/Programs/texbin.
>>
>> Any others?
>>
>> (3) If I need to revert to the regular (full) MacTeX-2019 already installed, is there anything else I need to do besides changing those symbolic links back?
>>
>>
>>> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>>>
>>> Folks,
>>>
>>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>>>
>>> a) Download the following install package, which has size 105 MB
>>>
>>> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>>>
>>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>>>
>>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>>>
>>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>>>
>>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>>>
>>> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>>>
>>> --------------------------
>>>
>>> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
>>> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages.
>>>
>>> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>>>
>>> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>>>
>>> --------------------------
>>>
>>> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>>>
>>> Those days are long gone.
>>>
>>> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>>>
>>> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>>>
>>> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>>>
>>> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>>>
>>> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>>>
>>> The full list of restrictions and exceptions is available from Apple:
>>>
>>>   https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>>>
>>> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>>>
>>> --------------------------
>>>
>>> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>>>
>>>
>>> Richard Koch
>>> [hidden email]
>>> ----------- Please Consult the Following Before Posting -----------
>>> TeX FAQ: http://www.tex.ac.uk/faq
>>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
>>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>>              https://email.esm.psu.edu/pipermail/macosx-tex/
>>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
>>
>> ---
>> Murray Eisenberg [hidden email]
>> 503 King Farm Blvd #101 Home (240)-246-7240
>> Rockville, MD 20850-6667 Mobile (413)-427-5334
>>
>>
>> ----------- Please Consult the Following Before Posting -----------
>> TeX FAQ: http://www.tex.ac.uk/faq
>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>               https://email.esm.psu.edu/pipermail/macosx-tex/
>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
>
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Richard Koch-2
Murray,

Thanks very much for installing and testing. Please let me know of any problems.

It is good that you had all of those questions, because it shows that we are doing our job correctly. The whole point of MacTeX is to leave you free to do your work, rather than having to fiddle around with our distribution.

Dick Koch


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Murray Eisenberg
In reply to this post by Richard Koch-2
Report on first using BasicTeX-2019-Hardened (the first BasicTeX of any variety that I’ve used) rather than the TeXLive-2019 that had been installed as part of MacTeX-2019:

(0) Environment:  macOS Mojave 10.14.5 with TeXShop 4.27

(1) For my book-length document, I had to manually install the following packages not included in BasicTeX, which I list in the order they were encountered in the dozen-file preamble and the root document:

        snapshot
        ifetex
        csquotes
        moresize
        enumitem
        xstring
        xpatch
        suffix.sty [in bigfoot !]
        pict2e
        tikz-cd
        lipsum
        cyrillic
        scalerel
        thmtools !!
        biblatex !!
        logreq
        nomencl
        epeatindex
        xurl
        xmpincl
        hyperxmp
        doclicense
        xifthen
        xassoccnt
        cleveref !!
        showlabels
        fixme
        ccicons

        Surprises or issues re packages:

                (a)  BasicTeX does not include thmtools, biblatex, or cleveref.

                (b) I had to search in my existing TeXLive-2019 (but could have searched instead at CTAN) for suffix.sty (in the bigfoot package) and the the first Cyrillic-related missing file, namely, ot2end.sty (and presumably installing the cyrillic package took care of other files that might otherwise have been missing).

(2) Runs from within TeXShop of the latex (i.e., pdflatex) engine and then the pdflatexmk engine, with biber as the bibliography tool, and with the engine’s calls to makeindex, went just fine on my 613-page document.

(3) Comment: When doing the switch, I really appreciated having the alias /Library/TeX/texbin, so that no changes to path settings were needed in the TeXShop preferences!
 

> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>
> Folks,
>
> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>
> a) Download the following install package, which has size 105 MB
>
> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>
> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>
> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>
> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>
> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Richard Koch-2
Murray,

Thanks for this test, and even more for the detailed report.

The line that stands out to me is that you use biber. Biber is not in BasicTeX and thus was not in this BasicTeX-Hardened package. I suppose you got it from one of the extra packages you installed. Do you know which one has it?

The reason this is interesting is that biber is a special case. When TeX Live is compiled, the builders to not compile biber. Instead its authors provide pre-compiled binaries which are inserted into TeX Live. When I had to adopt hardened runtimes for the various binary programs in TeX, the one program that did not work was biber. I notified the authors and they are working on that problem. At last report they had made progress, but still did not have a version which could adopt a hardened runtime and yet work correctly.

The binaries that were added by the packages you added do NOT have hardened runtimes. But we have also tested the full MacTeX, and it is known that biber is the only case of a TeX binary which cannot currently be hardened.

The key unknown is whether any of the remaining binaries require "exceptions" to run correctly.

Dick Koch

> On May 21, 2019, at 12:29 PM, Murray Eisenberg <[hidden email]> wrote:
>
> Report on first using BasicTeX-2019-Hardened (the first BasicTeX of any variety that I’ve used) rather than the TeXLive-2019 that had been installed as part of MacTeX-2019:
>
> (0) Environment:  macOS Mojave 10.14.5 with TeXShop 4.27
>
> (1) For my book-length document, I had to manually install the following packages not included in BasicTeX, which I list in the order they were encountered in the dozen-file preamble and the root document:
>
> snapshot
> ifetex
> csquotes
> moresize
> enumitem
> xstring
> xpatch
> suffix.sty [in bigfoot !]
> pict2e
> tikz-cd
> lipsum
> cyrillic
> scalerel
> thmtools !!
> biblatex !!
> logreq
> nomencl
> epeatindex
> xurl
> xmpincl
> hyperxmp
> doclicense
> xifthen
> xassoccnt
> cleveref !!
> showlabels
> fixme
> ccicons
>
> Surprises or issues re packages:
>
> (a)  BasicTeX does not include thmtools, biblatex, or cleveref.
>
> (b) I had to search in my existing TeXLive-2019 (but could have searched instead at CTAN) for suffix.sty (in the bigfoot package) and the the first Cyrillic-related missing file, namely, ot2end.sty (and presumably installing the cyrillic package took care of other files that might otherwise have been missing).
>
> (2) Runs from within TeXShop of the latex (i.e., pdflatex) engine and then the pdflatexmk engine, with biber as the bibliography tool, and with the engine’s calls to makeindex, went just fine on my 613-page document.
>
> (3) Comment: When doing the switch, I really appreciated having the alias /Library/TeX/texbin, so that no changes to path settings were needed in the TeXShop preferences!
>
>
>> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>>
>> Folks,
>>
>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>>
>> a) Download the following install package, which has size 105 MB
>>
>> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>>
>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>>
>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>>
>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>>
>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>>
>
> ---
> Murray Eisenberg [hidden email]
> 503 King Farm Blvd #101 Home (240)-246-7240
> Rockville, MD 20850-6667 Mobile (413)-427-5334
>
>
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Murray Eisenberg
Oops…the log file shows:

  Package biblatex Warning: Using fall-back BibTeX(8) backend:
  (biblatex)                functionality may be reduced/unavailable.

And I realized that at some point I had changed the backend option for biblatex from biber to biblatex.

So I just manually installed the package

        biber > x86_64-darwin ,

changed the biblatex backend option to biber, and everything was OK.


> On 21 May2019, at 3:43 PM, Richard Koch <[hidden email]> wrote:
>
> Murray,
>
> Thanks for this test, and even more for the detailed report.
>
> The line that stands out to me is that you use biber. Biber is not in BasicTeX and thus was not in this BasicTeX-Hardened package. I suppose you got it from one of the extra packages you installed. Do you know which one has it?
>
> The reason this is interesting is that biber is a special case. When TeX Live is compiled, the builders to not compile biber. Instead its authors provide pre-compiled binaries which are inserted into TeX Live. When I had to adopt hardened runtimes for the various binary programs in TeX, the one program that did not work was biber. I notified the authors and they are working on that problem. At last report they had made progress, but still did not have a version which could adopt a hardened runtime and yet work correctly.
>
> The binaries that were added by the packages you added do NOT have hardened runtimes. But we have also tested the full MacTeX, and it is known that biber is the only case of a TeX binary which cannot currently be hardened.
>
> The key unknown is whether any of the remaining binaries require "exceptions" to run correctly.
>
> Dick Koch
>
>> On May 21, 2019, at 12:29 PM, Murray Eisenberg <[hidden email]> wrote:
>>
>> Report on first using BasicTeX-2019-Hardened (the first BasicTeX of any variety that I’ve used) rather than the TeXLive-2019 that had been installed as part of MacTeX-2019:
>>
>> (0) Environment:  macOS Mojave 10.14.5 with TeXShop 4.27
>>
>> (1) For my book-length document, I had to manually install the following packages not included in BasicTeX, which I list in the order they were encountered in the dozen-file preamble and the root document:
>>
>> snapshot
>> ifetex
>> csquotes
>> moresize
>> enumitem
>> xstring
>> xpatch
>> suffix.sty [in bigfoot !]
>> pict2e
>> tikz-cd
>> lipsum
>> cyrillic
>> scalerel
>> thmtools !!
>> biblatex !!
>> logreq
>> nomencl
>> epeatindex
>> xurl
>> xmpincl
>> hyperxmp
>> doclicense
>> xifthen
>> xassoccnt
>> cleveref !!
>> showlabels
>> fixme
>> ccicons
>>
>> Surprises or issues re packages:
>>
>> (a)  BasicTeX does not include thmtools, biblatex, or cleveref.
>>
>> (b) I had to search in my existing TeXLive-2019 (but could have searched instead at CTAN) for suffix.sty (in the bigfoot package) and the the first Cyrillic-related missing file, namely, ot2end.sty (and presumably installing the cyrillic package took care of other files that might otherwise have been missing).
>>
>> (2) Runs from within TeXShop of the latex (i.e., pdflatex) engine and then the pdflatexmk engine, with biber as the bibliography tool, and with the engine’s calls to makeindex, went just fine on my 613-page document.
>>
>> (3) Comment: When doing the switch, I really appreciated having the alias /Library/TeX/texbin, so that no changes to path settings were needed in the TeXShop preferences!
>>
>>
>>> On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:
>>>
>>> Folks,
>>>
>>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>>>
>>> a) Download the following install package, which has size 105 MB
>>>
>>> https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>>>
>>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>>>
>>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>>>
>>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>>>
>>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>>>
>>
>> ---
>> Murray Eisenberg [hidden email]
>> 503 King Farm Blvd #101 Home (240)-246-7240
>> Rockville, MD 20850-6667 Mobile (413)-427-5334
>>
>>
>> ----------- Please Consult the Following Before Posting -----------
>> TeX FAQ: http://www.tex.ac.uk/faq
>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>               https://email.esm.psu.edu/pipermail/macosx-tex/
>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
>
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Murray Eisenberg
In reply to this post by Richard Koch-2
Are you aware of binaries included among the files for the packages in the list that I added (other than biber)?  I don’t find any suspects among those now in:

/usr/local/texlive/2019basic-hardened/bin/x86_64-darwin
 

On 21 May2019, at 3:43 PM, Richard Koch <[hidden email]> wrote:

...The binaries that were added by the packages you added do NOT have hardened runtimes. But we have also tested the full MacTeX, and it is known that biber is the only case of a TeX binary which cannot currently be hardened.

The key unknown is whether any of the remaining binaries require "exceptions" to run correctly.

Dick Koch

On May 21, 2019, at 12:29 PM, Murray Eisenberg <[hidden email]> wrote:

Report on first using BasicTeX-2019-Hardened (the first BasicTeX of any variety that I’ve used) rather than the TeXLive-2019 that had been installed as part of MacTeX-2019:

(0) Environment:  macOS Mojave 10.14.5 with TeXShop 4.27

(1) For my book-length document, I had to manually install the following packages not included in BasicTeX, which I list in the order they were encountered in the dozen-file preamble and the root document:

snapshot
ifetex
csquotes
moresize
enumitem
xstring
xpatch
suffix.sty [in bigfoot !]
pict2e
tikz-cd
lipsum
cyrillic
scalerel
thmtools !!
biblatex !!
logreq
nomencl
epeatindex
xurl
xmpincl
hyperxmp
doclicense
xifthen
xassoccnt
cleveref !!
showlabels
fixme
ccicons

Surprises or issues re packages:

(a)  BasicTeX does not include thmtools, biblatex, or cleveref.

(b) I had to search in my existing TeXLive-2019 (but could have searched instead at CTAN) for suffix.sty (in the bigfoot package) and the the first Cyrillic-related missing file, namely, ot2end.sty (and presumably installing the cyrillic package took care of other files that might otherwise have been missing).

(2) Runs from within TeXShop of the latex (i.e., pdflatex) engine and then the pdflatexmk engine, with biber as the bibliography tool, and with the engine’s calls to makeindex, went just fine on my 613-page document.

(3) Comment: When doing the switch, I really appreciated having the alias /Library/TeX/texbin, so that no changes to path settings were needed in the TeXShop preferences!


On 17 May2019, at 5:38 PM, Richard Koch <[hidden email]> wrote:

Folks,

I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:

a) Download the following install package, which has size 105 MB

https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg

2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019

3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.

I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.

Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.


---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
              https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
               https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334



----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Herbert Schulz
In reply to this post by Murray Eisenberg
> On May 21, 2019, at 3:52 PM, Murray Eisenberg <[hidden email]> wrote:
>
> Oops…the log file shows:
>
>  Package biblatex Warning: Using fall-back BibTeX(8) backend:
>  (biblatex)                functionality may be reduced/unavailable.
>
> And I realized that at some point I had changed the backend option for biblatex from biber to biblatex.
>
> So I just manually installed the package
>
> biber > x86_64-darwin ,
>
> changed the biblatex backend option to biber, and everything was OK.

Howdy,

I assume you mean backend=bibtex not biblatex.

I don't know if you are using the glossaries back and glossaries-extra in particular. There is a bib2gls binary (it's really a link to a shell script) that goes along with that package.

Good Luck,

Herb Schulz
(herbs at wideopenwest dot com)

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
Reply | Threaded
Open this post in threaded view
|

Re: Testing Hardened Runtime in Basic TeX

Murray Eisenberg


> On 21 May2019, at 5:34 PM, Herbert Schulz <[hidden email]> wrote:
>
>> On May 21, 2019, at 3:52 PM, Murray Eisenberg <[hidden email]> wrote:
>>
>> Oops…the log file shows:
>>
>> Package biblatex Warning: Using fall-back BibTeX(8) backend:
>> (biblatex)                functionality may be reduced/unavailable.
>>
>> And I realized that at some point I had changed the backend option for biblatex from biber to biblatex.
>>
>> So I just manually installed the package
>>
>> biber > x86_64-darwin ,
>>
>> changed the biblatex backend option to biber, and everything was OK.
>
> Howdy,
>
> I assume you mean backend=bibtex not biblatex.
>
> I don't know if you are using the glossaries back and glossaries-extra in particular. There is a bib2gls binary (it's really a link to a shell script) that goes along with that package.
>

Yes, sorry, indeed: “backend-bibtex"

---
Murray Eisenberg [hidden email]
503 King Farm Blvd #101 Home (240)-246-7240
Rockville, MD 20850-6667 Mobile (413)-427-5334


----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
12