[arch-general] Harassment by David Runge

Marc Lehmann arch-general at plan9.de
Sat May 11 16:20:23 UTC 2019 

(Please (also) reply personally to me if you want me to read a reply, as I
don't monitor the list).

Hi!

I was recently harassed by David Runge <dave at sleepmap.de>, by e-mail.

I don't know if this is the right place to report this, but I looked
at the wiki and the code of conduct, and this seemed the most fitting
place (as there doesn't seem to be a specific contact for this kind of
issue). If I am wrong, and there is a better place to send this to, I'd be
happy to be redirected.

Background: I am the author and/or maintainer of various software packages
such as rxvt-unicode or gnu vpe, many of which are distributed as part of
popular software distributions such as Debian GNU/Linux and others.

A few of my packages are distributed on http://dist.schmorp.de/, backed up
by signify signaturs, in turn backed up by gpg(1), and other means.

On 2019-05-10 I was contacted, in german, by David Runge (pgp fingerprint
91BD8815...).

He stated that he is in the process of packaging php-redis and liblzf (my
software package) for arch linux, and claimed that the signatures on my
server are not valid, which would be a serious issue for data integrity,
so I was quite alarmed. He also asked whether I could provide individual
gpg signatures instead, as, apparently, the arch build system treats all
.sig files as gpg files and that not doing this would make it impossible
to verify the downloads.

I immediately asked him what is wrong with the signatures and why they
wouldn't be valid, what file exactly does not verify and how exactly does he
verify them. I also pointed him at the documentation on the signatures in
(1) and offered to help in case of problems.

He replied that the arch build system automatically treats all .sig files
as gpg signatures, and that this can't be switched off; that the signature
for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and
claimed this affects all of the file signatures.

I in turn replied that I consider this a candidate for a bug report
against the arch build system, as it shouldn't enforce treatment of
random .sig file as gpg signature. I also pointed out that it is a
security bug if arch linux treats .sig files without a hardcoded or
otherwise authenticated gpg key id, and shouldn't rely on a random
openpgp signature, even if that signature verifies. I did mention that
I can hardly imagine that the arch build system would be that broken
however.

Again I asked for details of what is not valid with the existing
signatures. I also pointed out that if he cannot implement the signify
signatures automatically, he could get still get cryptographic protection
by including a hardcoded checksum of the release tarball into the package
build system, which would solve the problem of verification. Lastly I
pointed out that a separate gnupg signature for every file would result
in a rather large overhead for me, especially since no other distribution
requires this.

Up until this point, I respectfully tried to a) find out why he claims the
signatures were not valid and b) constructively tried to find a solution
that would work for everybody and c) get him to report bugs against the
arch build system if it is really as broken as he described it, to improve
arch linux.

I then received a mail full of ad hominems, calling my attempts at solving
his problem "sad", making a strange claim that it seems important for
me that my software is used (which potentially implies a threat of not
packaging my software if I don't comply, of course), attacked me for
"denouncing the work of others", called my replies "disdainful rants",
questioned my motives when I tried to improve arch linux by pointing out
potential security issues and so on.

All of which was completely uncalled for, and, frankly, most of which left
me puzzled at where he would even get those ideas.

At no point did he provide any details on his claim that the existing
signatures were not valid.

The above is an essentially complete and factual summary of the e-mail
exchange, which I can back up by the original (german) e-mails.

I can distinguish between individuals claiming to speak for arch
linux and the body of people who actually comprise the project as a
whole, but the fact that at least this arch maintainer tries to harass
upstream authors into compliance with the arch build system and his very
unprofessional and insulting style of conduct reflects back badly on
arch linux as a whole, especially as I am writing and distributing free
software for over 25 ysears now, and never had this kind of problem with a
software distribution.

I (of course) assume (but don't know) that enforcing compliance with
questionable security practises is not the official position of the arch
project as a whole.

Respectfully yours,
Marc Lehmann

(1) http://dist.schmorp.de/signing-key.txt

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\

More information about the arch-general mailing list