Hi Sébastien-- On Tue 2024-08-06 23:53:21 +0200, Sébastien Noel wrote: > I acknowledge that the last 5 years have been "bumpy" in the gnupg > community (omg the certificates flooding incident was that long ago ?? > time flies) and that working with an increasingly hostile upstream > must be difficult.
thanks for acknowledging the complexities here. > I don't understand why you, with your "downstream packager hat", have to > rethink about that. As a downstream packager, i think about what i'm responsible for maintaining and distributing to other users. In the case of GnuPG, i started doing maintenance work on it in Debian because i see it as a piece of critical infrastructure that needed a hand. That does not obligate me to distribute additional things that i think are not critical infrastructure, or indeed might be actively risky for downstream users. > - If the "security implications of connecting GnuPG to your web browser" > where so severe, don't you think that "upstream" wouldn't have developed > this if it was insecure ? If you had any concern, that should be raised > to another level with your "upstream developer hat". While the GnuPG developers have occasionally seen me as part of "upstream" in the past, i would guess that they don't see me that way today. And at any rate, they are as free to disagree with me as i am with them. Just because they want to hook their secret key material up to their web browser doesn't mean it's something i am obliged to spend my time supporting. fwiw, i was really happy with this idea, years ago, and even helped to get the FireGPG browser extension packaged for debian. It turned out that was a bad idea, because of UX security problems that were never adequately resolved to my knowledge. Once bitten, twice shy. My understanding is that Mailvelope (one consumer of gpgme-json, aiui) may have similar concerns around in-browser UI, javascript, and same-origin policy -- have you done the analysis that shows that mailvelope is safe to use in that context? For example, are we confident that gmail can't exfiltrate decrypted messages, or spoof signature status for people who use mailvelope? (i'm hoping the answer is that mailvelope is safe, but i haven't read such an analysis, nor have i conducted it myself) What about for other consumers of gpgme-json? Put more broadly: What's the goal here in terms of our users? What functionality are we trying to offer users (or developers)? What risks are we exposing them to? > But certainly not by doing obstruction here in Debian. I'm not trying to do "obstruction", for what it's worth. I'm simply rationing my time and emotional energy. I've been asking more people to step up to help with the packaging, infrastructure, and security work here for years, and Andreas Metzler has been one of the few people to step up with any significant effort (thank you Andreas!) I'm sorry i haven't had the capacity to review additional work that seems fundamentally risky to me. > - Half of the world is already doing it anyway (via ubuntu & fedora) > and nothing bad happened. I know it's not an excuse, as they said > "billions of flies likes shit", but come on... I don't understand this as an argument about why i should spend my time on this, sorry. > This is bullshit. You are still not addressing the problem, and > burying your head in the sand. Patches have been posted. The work is > done. WE ARE WAITING FOR REVIEW. Which patches are you asking for review on? the patches at https://salsa.debian.org/debian/gpgme/-/merge_requests/1 currently has merge conflicts. If you are currently using an updated set of patches that don't have merge conflicts, please point to them. Yes, patches can take a while to land. If you're using them regularly, you can demonstrate that (and save other people's cycles) by keeping the patch series up to date in a visible place. Even better if they can step up and offer to provide ongoing support for the tooling if/when any issues arise. (in GnuPG, issues seem to arise with great regularity, and i'm struggling with that for the packages we already do support in debian). If you're talking about https://salsa.debian.org/debian/gpgme/-/merge_requests/2 which appears to be a superset of !1, then it still too has merge conflicts. > Once reviews are done & comments posted, corrections will comes. OK, i've now added some comments on MR !2, since i'm not sure where else you want the comments. I hope they're understandable. > But right now all you are doing is playing for time. I'm not "playing for time", i'm spending my time trying to communicate the concerns i have, and hoping that folks who share those concerns but still want to advance the project would (a) provide reasoned discussion about those concerns, and (b) would try to demonstrate that the code they're proposing is working, is safe to use, and is not going to increase the maintenance burden i'm already failing at. > Sorry for not being nicer, but once again i fell that those with an > @debian.org email address are just shitting on the others. I do not mean to shit on you, or on anyone else. I welcome contributions, and i'm sorry for my own lack of capacity, but i really am a limited human being. All the best, --dkg
signature.asc
Description: PGP signature
