[pkg-gnupg-maint] Bug#911189: Bug#911189: gpgme-json packaging

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Aug 7 00:57:25 BST 2024 

Hi Sébastien--

On Tue 2024-08-06 23:53:21 +0200, Sébastien Noel wrote:
> I acknowledge that the last 5 years have been "bumpy" in the gnupg
> community (omg the certificates flooding incident was that long ago ??
> time flies) and that working with an increasingly hostile upstream
> must be difficult.

thanks for acknowledging the complexities here.

> I don't understand why you, with your "downstream packager hat", have to 
> rethink about that.

As a downstream packager, i think about what i'm responsible for
maintaining and distributing to other users.  In the case of GnuPG, i
started doing maintenance work on it in Debian because i see it as a
piece of critical infrastructure that needed a hand.  That does not
obligate me to distribute additional things that i think are not
critical infrastructure, or indeed might be actively risky for
downstream users.

> - If the "security implications of connecting GnuPG to your web browser" 
> where so severe, don't you think that "upstream" wouldn't have developed 
> this if it was insecure ? If you had any concern, that should be raised 
> to another level with your "upstream developer hat".

While the GnuPG developers have occasionally seen me as part of
"upstream" in the past, i would guess that they don't see me that way
today.  And at any rate, they are as free to disagree with me as i am
with them.  Just because they want to hook their secret key material up
to their web browser doesn't mean it's something i am obliged to spend
my time supporting.

fwiw, i was really happy with this idea, years ago, and even helped to
get the FireGPG browser extension packaged for debian.  It turned out
that was a bad idea, because of UX security problems that were never
adequately resolved to my knowledge.  Once bitten, twice shy.

My understanding is that Mailvelope (one consumer of gpgme-json, aiui)
may have similar concerns around in-browser UI, javascript, and
same-origin policy -- have you done the analysis that shows that
mailvelope is safe to use in that context?  For example, are we
confident that gmail can't exfiltrate decrypted messages, or spoof
signature status for people who use mailvelope?  (i'm hoping the answer
is that mailvelope is safe, but i haven't read such an analysis, nor
have i conducted it myself) What about for other consumers of
gpgme-json?

Put more broadly: What's the goal here in terms of our users?  What
functionality are we trying to offer users (or developers)?  What risks
are we exposing them to?

> But certainly not by doing obstruction here in Debian.

I'm not trying to do "obstruction", for what it's worth.  I'm simply
rationing my time and emotional energy.  I've been asking more people to
step up to help with the packaging, infrastructure, and security work
here for years, and Andreas Metzler has been one of the few people to
step up with any significant effort (thank you Andreas!)  I'm sorry i
haven't had the capacity to review additional work that seems
fundamentally risky to me.

> - Half of the world is already doing it anyway (via ubuntu & fedora)
> and nothing bad happened. I know it's not an excuse, as they said
> "billions of flies likes shit", but come on...

I don't understand this as an argument about why i should spend my time
on this, sorry.

> This is bullshit.  You are still not addressing the problem, and
> burying your head in the sand.  Patches have been posted. The work is
> done.  WE ARE WAITING FOR REVIEW.

Which patches are you asking for review on?  the patches at

   https://salsa.debian.org/debian/gpgme/-/merge_requests/1

currently has merge conflicts. If you are currently using an updated set
of patches that don't have merge conflicts, please point to them.  Yes,
patches can take a while to land.  If you're using them regularly, you
can demonstrate that (and save other people's cycles) by keeping the
patch series up to date in a visible place.

Even better if they can step up and offer to provide ongoing support for
the tooling if/when any issues arise.  (in GnuPG, issues seem to arise
with great regularity, and i'm struggling with that for the packages we
already do support in debian).

If you're talking about 

   https://salsa.debian.org/debian/gpgme/-/merge_requests/2

which appears to be a superset of !1, then it still too has merge
conflicts.

> Once reviews are done & comments posted, corrections will comes.

OK, i've now added some comments on MR !2, since i'm not sure where else
you want the comments.  I hope they're understandable.

> But right now all you are doing is playing for time.

I'm not "playing for time", i'm spending my time trying to communicate
the concerns i have, and hoping that folks who share those concerns but
still want to advance the project would (a) provide reasoned discussion
about those concerns, and (b) would try to demonstrate that the code
they're proposing is working, is safe to use, and is not going to
increase the maintenance burden i'm already failing at.

> Sorry for not being nicer, but once again i fell that those with an 
> @debian.org email address are just shitting on the others.

I do not mean to shit on you, or on anyone else.  I welcome
contributions, and i'm sorry for my own lack of capacity, but i really
am a limited human being.

All the best,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20240806/7f659275/attachment.sig>

More information about the pkg-gnupg-maint mailing list