[pkg-gnupg-maint] Bug#911189: Bug#911189: gpgme-json packaging

[Sébastien Noel]

Hi Daniel,

Thank you very much again for taking the time to respond to my offensive 
email that i'm not proud of :/

Le 2024-08-07 01:57, Daniel Kahn Gillmor a écrit :
> Hi Sébastien--
> 
> [...]
> 
>> I don't understand why you, with your "downstream packager hat", have 
>> to
>> rethink about that.
> 
> As a downstream packager, i think about what i'm responsible for
> maintaining and distributing to other users.  In the case of GnuPG, i
> started doing maintenance work on it in Debian because i see it as a
> piece of critical infrastructure that needed a hand.  That does not
> obligate me to distribute additional things that i think are not
> critical infrastructure, or indeed might be actively risky for
> downstream users.

this makes perfect sense.

>> - If the "security implications of connecting GnuPG to your web 
>> browser"
>> where so severe, don't you think that "upstream" wouldn't have 
>> developed
>> this if it was insecure ? If you had any concern, that should be 
>> raised
>> to another level with your "upstream developer hat".
> 
> While the GnuPG developers have occasionally seen me as part of
> "upstream" in the past, i would guess that they don't see me that way
> today.  And at any rate, they are as free to disagree with me as i am
> with them.  Just because they want to hook their secret key material up
> to their web browser doesn't mean it's something i am obliged to spend
> my time supporting.

that's my main point: you are under no obligation to support it 
yourself, help & code is provided here, but that help seemed to be 
un-welcome/ignored :/

> fwiw, i was really happy with this idea, years ago, and even helped to
> get the FireGPG browser extension packaged for debian.  It turned out
> that was a bad idea, because of UX security problems that were never
> adequately resolved to my knowledge.  Once bitten, twice shy.
> 
> My understanding is that Mailvelope (one consumer of gpgme-json, aiui)
> may have similar concerns around in-browser UI, javascript, and
> same-origin policy -- have you done the analysis that shows that
> mailvelope is safe to use in that context?  For example, are we
> confident that gmail can't exfiltrate decrypted messages, or spoof
> signature status for people who use mailvelope?  (i'm hoping the answer
> is that mailvelope is safe, but i haven't read such an analysis, nor
> have i conducted it myself) What about for other consumers of
> gpgme-json?

I am in no position to have done any security analysis of any GnuPG 
component.
But I am the kind of person that trust upstream devs. So if GnuPG offers 
a binary that browsers can use IF they clear the way by providing a file 
with some kind of UID to identify extensions that are permitted to use 
it, i'm the kind of person that will blindly trust the system.
Call me naive but that's who i am.

> Put more broadly: What's the goal here in terms of our users?  What
> functionality are we trying to offer users (or developers)?  What risks
> are we exposing them to?

The goal is to allows Mailvelope to talk to secret key material.
Only Mailvelope.
And i want to emphase that it *talks* to secret key material, it doesn't 
have access to it (secrets keys still doesn't leave the 
opengpgcard/yubikey/whatever-hardware-you-have)

>> But certainly not by doing obstruction here in Debian.
> 
> I'm not trying to do "obstruction", for what it's worth.  I'm simply
> rationing my time and emotional energy.  I've been asking more people 
> to
> step up to help with the packaging, infrastructure, and security work
> here for years, and Andreas Metzler has been one of the few people to
> step up with any significant effort (thank you Andreas!)  I'm sorry i
> haven't had the capacity to review additional work that seems
> fundamentally risky to me.

ACK; sorry for using the strong word "obstruction".
What I wanted to reflect was the feeling that i was talking to /dev/null 
until now.

> Which patches are you asking for review on?
> [...]

I was talking about the commits here
https://salsa.debian.org/twolife/gpgme/-/commits/gpgmejson
that i pointed in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911189#84

I didn't make another MR, as the other ones where ignored.
I simply assumed you were one of the many DD that dislike MR on salsa;
like it seems to be a majority of DD, based on
- the number of my own ignored MR
- the thread about DEP-18 on d-devel ML, if i interpret it correctly

So i posted it to debbugs. But it was also ignored.
One of the many things that makes me angry and write insulting emails 
:-/

But if all you want is an updated/non-conflicting MR, i can do that in 
seconds.

>> Once reviews are done & comments posted, corrections will comes.
> 
> OK, i've now added some comments on MR !2, since i'm not sure where 
> else
> you want the comments.  I hope they're understandable.

except for the part where you ask for an analysis, i'm sure I can answer 
to everything else. I will do that promptly.

>> But right now all you are doing is playing for time.
> 
> I'm not "playing for time", i'm spending my time trying to communicate
> the concerns i have

You are communicating *now*, that's the big difference between now & the 
last 4 years on this front.
Again: thank you.

best regards,

Sébastien

> and hoping that folks who share those concerns but
> still want to advance the project would (a) provide reasoned discussion
> about those concerns, and (b) would try to demonstrate that the code
> they're proposing is working, is safe to use, and is not going to
> increase the maintenance burden i'm already failing at.
> 
>> Sorry for not being nicer, but once again i fell that those with an
>> @debian.org email address are just shitting on the others.
> 
> I do not mean to shit on you, or on anyone else.  I welcome
> contributions, and i'm sorry for my own lack of capacity, but i really
> am a limited human being.
> 
> All the best,
> 
>     --dkg