[arch-general] Harassment by David Runge
(Please (also) reply personally to me if you want me to read a reply, as I don't monitor the list). Hi! I was recently harassed by David Runge <dave@sleepmap.de>, by e-mail. I don't know if this is the right place to report this, but I looked at the wiki and the code of conduct, and this seemed the most fitting place (as there doesn't seem to be a specific contact for this kind of issue). If I am wrong, and there is a better place to send this to, I'd be happy to be redirected. Background: I am the author and/or maintainer of various software packages such as rxvt-unicode or gnu vpe, many of which are distributed as part of popular software distributions such as Debian GNU/Linux and others. A few of my packages are distributed on http://dist.schmorp.de/, backed up by signify signaturs, in turn backed up by gpg(1), and other means. On 2019-05-10 I was contacted, in german, by David Runge (pgp fingerprint 91BD8815...). He stated that he is in the process of packaging php-redis and liblzf (my software package) for arch linux, and claimed that the signatures on my server are not valid, which would be a serious issue for data integrity, so I was quite alarmed. He also asked whether I could provide individual gpg signatures instead, as, apparently, the arch build system treats all .sig files as gpg files and that not doing this would make it impossible to verify the downloads. I immediately asked him what is wrong with the signatures and why they wouldn't be valid, what file exactly does not verify and how exactly does he verify them. I also pointed him at the documentation on the signatures in (1) and offered to help in case of problems. He replied that the arch build system automatically treats all .sig files as gpg signatures, and that this can't be switched off; that the signature for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and claimed this affects all of the file signatures. I in turn replied that I consider this a candidate for a bug report against the arch build system, as it shouldn't enforce treatment of random .sig file as gpg signature. I also pointed out that it is a security bug if arch linux treats .sig files without a hardcoded or otherwise authenticated gpg key id, and shouldn't rely on a random openpgp signature, even if that signature verifies. I did mention that I can hardly imagine that the arch build system would be that broken however. Again I asked for details of what is not valid with the existing signatures. I also pointed out that if he cannot implement the signify signatures automatically, he could get still get cryptographic protection by including a hardcoded checksum of the release tarball into the package build system, which would solve the problem of verification. Lastly I pointed out that a separate gnupg signature for every file would result in a rather large overhead for me, especially since no other distribution requires this. Up until this point, I respectfully tried to a) find out why he claims the signatures were not valid and b) constructively tried to find a solution that would work for everybody and c) get him to report bugs against the arch build system if it is really as broken as he described it, to improve arch linux. I then received a mail full of ad hominems, calling my attempts at solving his problem "sad", making a strange claim that it seems important for me that my software is used (which potentially implies a threat of not packaging my software if I don't comply, of course), attacked me for "denouncing the work of others", called my replies "disdainful rants", questioned my motives when I tried to improve arch linux by pointing out potential security issues and so on. All of which was completely uncalled for, and, frankly, most of which left me puzzled at where he would even get those ideas. At no point did he provide any details on his claim that the existing signatures were not valid. The above is an essentially complete and factual summary of the e-mail exchange, which I can back up by the original (german) e-mails. I can distinguish between individuals claiming to speak for arch linux and the body of people who actually comprise the project as a whole, but the fact that at least this arch maintainer tries to harass upstream authors into compliance with the arch build system and his very unprofessional and insulting style of conduct reflects back badly on arch linux as a whole, especially as I am writing and distributing free software for over 25 ysears now, and never had this kind of problem with a software distribution. I (of course) assume (but don't know) that enforcing compliance with questionable security practises is not the official position of the arch project as a whole. Respectfully yours, Marc Lehmann (1) http://dist.schmorp.de/signing-key.txt -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp@schmorp.de -=====/_/_//_/\_,_/ /_/\_\
For clarity, On 05/11, Marc Lehmann via arch-general wrote:
He replied that the arch build system automatically treats all .sig files as gpg signatures, and that this can't be switched off; that the signature for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and claimed this affects all of the file signatures.
This is indeed the case, see [0].
I in turn replied that I consider this a candidate for a bug report against the arch build system, as it shouldn't enforce treatment of random .sig file as gpg signature. I also pointed out that it is a security bug if arch linux treats .sig files without a hardcoded or otherwise authenticated gpg key id, and shouldn't rely on a random openpgp signature, even if that signature verifies. I did mention that I can hardly imagine that the arch build system would be that broken however.
But this part is not, i.e. makepkg will only accept signatures from key(s) whose fingerprint are specified in validpgpkeys, and will not accept other random signatures. So there is no security issue here. I hope that was helpful. Regards, Tharre [0] https://wiki.archlinux.org/index.php/PKGBUILD#Sources -- PGP fingerprint: 42CE 7698 D6A0 6129 AA16 EF5C 5431 BDE2 C8F0 B2F4
Hi, consider to read this thread, https://lists.linuxaudio.org/archives/linux-audio-user/2019-February/111637..... The community not only off-list second that I have not done anything wrong, they also second that by mails to the mailing list. However, for no reason he banned me from more than just this mailing list and he shutdown the list for a while, so nobody could second anymore that he is wrong. Perhaps you should at least monitor this list and the AUR mailing list, than you would know that not all TUs agree with the behaviour of some TUs ;).
I then received a mail full of ad hominems, calling my attempts at solving his problem "sad", making a strange claim that it seems important for me that my software is used (which potentially implies a threat of not packaging my software if I don't comply, of course), attacked me for "denouncing the work of others", called my replies "disdainful rants", questioned my motives when I tried to improve arch linux by pointing out potential security issues and so on.
Hahaha, this is normal behaviour of David. He found the same words to describe other people and also to describe me. take an educated guess why is doing this again and again ;). Ignore him and calm down! Don't waste your time with him! Regards, Ralf
I am unable to locate PKGBUILDs for the packages mentioned, php-redis and liblzf. I've looked on the site you mentioned, Archlinux's packages, and in AUR. Am I missing something? Do you maintain Archlinux packages for these? Or is it that David is perhaps trying to make PKGBUILD and asking that the source be pgp signed? Archlinux pkgs typically use gpg, I personally have never heard of the tool you signed your source with. I don't know what all happened between you two but if you're the author of these packages I think a more traditional means of integrity/authenticity would be helpful... Gpg,/pgp sha256 etc. I recognize base64 but RWSUBDizLm/GKcGyJf84aGAXKuZLjXNJrUezGuLaqd89R+rQmlFz/L42V8xe78eOx7kyXAJ3rPF30MUQpBayUSkof3KQxE35CA0= in the sig file associated with liblzf... But it's useless to me without the extraneous tool I'm not installing. Seeing as git signs with gpg I think it's fair to say that's the norm. On Sat, May 11, 2019, 9:20 AM Marc Lehmann via arch-general < arch-general@archlinux.org> wrote:
(Please (also) reply personally to me if you want me to read a reply, as I don't monitor the list).
Hi!
I was recently harassed by David Runge <dave@sleepmap.de>, by e-mail.
I don't know if this is the right place to report this, but I looked at the wiki and the code of conduct, and this seemed the most fitting place (as there doesn't seem to be a specific contact for this kind of issue). If I am wrong, and there is a better place to send this to, I'd be happy to be redirected.
Background: I am the author and/or maintainer of various software packages such as rxvt-unicode or gnu vpe, many of which are distributed as part of popular software distributions such as Debian GNU/Linux and others.
A few of my packages are distributed on http://dist.schmorp.de/, backed up by signify signaturs, in turn backed up by gpg(1), and other means.
On 2019-05-10 I was contacted, in german, by David Runge (pgp fingerprint 91BD8815...).
He stated that he is in the process of packaging php-redis and liblzf (my software package) for arch linux, and claimed that the signatures on my server are not valid, which would be a serious issue for data integrity, so I was quite alarmed. He also asked whether I could provide individual gpg signatures instead, as, apparently, the arch build system treats all .sig files as gpg files and that not doing this would make it impossible to verify the downloads.
I immediately asked him what is wrong with the signatures and why they wouldn't be valid, what file exactly does not verify and how exactly does he verify them. I also pointed him at the documentation on the signatures in (1) and offered to help in case of problems.
He replied that the arch build system automatically treats all .sig files as gpg signatures, and that this can't be switched off; that the signature for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and claimed this affects all of the file signatures.
I in turn replied that I consider this a candidate for a bug report against the arch build system, as it shouldn't enforce treatment of random .sig file as gpg signature. I also pointed out that it is a security bug if arch linux treats .sig files without a hardcoded or otherwise authenticated gpg key id, and shouldn't rely on a random openpgp signature, even if that signature verifies. I did mention that I can hardly imagine that the arch build system would be that broken however.
Again I asked for details of what is not valid with the existing signatures. I also pointed out that if he cannot implement the signify signatures automatically, he could get still get cryptographic protection by including a hardcoded checksum of the release tarball into the package build system, which would solve the problem of verification. Lastly I pointed out that a separate gnupg signature for every file would result in a rather large overhead for me, especially since no other distribution requires this.
Up until this point, I respectfully tried to a) find out why he claims the signatures were not valid and b) constructively tried to find a solution that would work for everybody and c) get him to report bugs against the arch build system if it is really as broken as he described it, to improve arch linux.
I then received a mail full of ad hominems, calling my attempts at solving his problem "sad", making a strange claim that it seems important for me that my software is used (which potentially implies a threat of not packaging my software if I don't comply, of course), attacked me for "denouncing the work of others", called my replies "disdainful rants", questioned my motives when I tried to improve arch linux by pointing out potential security issues and so on.
All of which was completely uncalled for, and, frankly, most of which left me puzzled at where he would even get those ideas.
At no point did he provide any details on his claim that the existing signatures were not valid.
The above is an essentially complete and factual summary of the e-mail exchange, which I can back up by the original (german) e-mails.
I can distinguish between individuals claiming to speak for arch linux and the body of people who actually comprise the project as a whole, but the fact that at least this arch maintainer tries to harass upstream authors into compliance with the arch build system and his very unprofessional and insulting style of conduct reflects back badly on arch linux as a whole, especially as I am writing and distributing free software for over 25 ysears now, and never had this kind of problem with a software distribution.
I (of course) assume (but don't know) that enforcing compliance with questionable security practises is not the official position of the arch project as a whole.
Respectfully yours, Marc Lehmann
(1) http://dist.schmorp.de/signing-key.txt
-- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp@schmorp.de -=====/_/_//_/\_,_/ /_/\_\
Am 13.05.19 um 13:53 schrieb Justin Capella via arch-general: ...
I recognize base64 but RWSUBDizLm/GKcGyJf84aGAXKuZLjXNJrUezGuLaqd89R+rQmlFz/L42V8xe78eOx7kyXAJ3rPF30MUQpBayUSkof3KQxE35CA0= in the sig file associated with liblzf... But it's useless to me without the extraneous tool I'm not installing. Seeing as git signs with gpg I think it's fair to say that's the norm.
... The tool he uses is called signify, which is the "OpenBSD tool to signs and verify signatures on files" It is packaged in community. I have no opinion on the use of such signatures in a Linux environment. He has also linked to the signature and the verification process (see quote below). Theoretically it would be possible to verify the signatures in a prepare() function, but it does feel a bit more complicated than directly using a gpg signature. Signify is the result of a desire to have a signature tool that can be audited easily, OpenBSD claims gpg implementations are too complicated for that. [*] -- ProgAndy [*] https://www.openbsd.org/papers/bsdcan-signify.html
On Sat, May 11, 2019, 9:20 AM Marc Lehmann via arch-general < arch-general@archlinux.org> wrote:
A few of my packages are distributed on http://dist.schmorp.de/, backed up by signify signaturs, in turn backed up by gpg(1), and other means.
...
participants (5)
-
admin@progandy.de
-
Justin Capella
-
Marc Lehmann
-
Ralf Mardorf
-
Tharre