[arch-general] Harassment by David Runge

Justin Capella justincapella at gmail.com
Mon May 13 11:53:27 UTC 2019 

I am unable to locate PKGBUILDs for the packages mentioned, php-redis and
liblzf. I've looked on the site you mentioned, Archlinux's packages, and in
AUR. Am I missing something? Do you maintain Archlinux packages for these?
Or is it that David is perhaps trying to make PKGBUILD and asking that the
source be pgp signed? Archlinux pkgs typically use gpg, I personally have
never heard of the tool you signed your source with. I don't know what all
happened between you two but if you're the author of these packages I think
a more traditional means of integrity/authenticity would be helpful...
Gpg,/pgp sha256 etc.

I recognize base64
but RWSUBDizLm/GKcGyJf84aGAXKuZLjXNJrUezGuLaqd89R+rQmlFz/L42V8xe78eOx7kyXAJ3rPF30MUQpBayUSkof3KQxE35CA0=
in the sig file associated with liblzf... But it's useless to me without
the extraneous tool I'm not installing. Seeing as git signs with gpg I
think it's fair to say that's the norm.

On Sat, May 11, 2019, 9:20 AM Marc Lehmann via arch-general <
arch-general at archlinux.org> wrote:

> (Please (also) reply personally to me if you want me to read a reply, as I
> don't monitor the list).
>
> Hi!
>
> I was recently harassed by David Runge <dave at sleepmap.de>, by e-mail.
>
> I don't know if this is the right place to report this, but I looked
> at the wiki and the code of conduct, and this seemed the most fitting
> place (as there doesn't seem to be a specific contact for this kind of
> issue). If I am wrong, and there is a better place to send this to, I'd be
> happy to be redirected.
>
> Background: I am the author and/or maintainer of various software packages
> such as rxvt-unicode or gnu vpe, many of which are distributed as part of
> popular software distributions such as Debian GNU/Linux and others.
>
> A few of my packages are distributed on http://dist.schmorp.de/, backed up
> by signify signaturs, in turn backed up by gpg(1), and other means.
>
> On 2019-05-10 I was contacted, in german, by David Runge (pgp fingerprint
> 91BD8815...).
>
> He stated that he is in the process of packaging php-redis and liblzf (my
> software package) for arch linux, and claimed that the signatures on my
> server are not valid, which would be a serious issue for data integrity,
> so I was quite alarmed. He also asked whether I could provide individual
> gpg signatures instead, as, apparently, the arch build system treats all
> .sig files as gpg files and that not doing this would make it impossible
> to verify the downloads.
>
> I immediately asked him what is wrong with the signatures and why they
> wouldn't be valid, what file exactly does not verify and how exactly does
> he
> verify them. I also pointed him at the documentation on the signatures in
> (1) and offered to help in case of problems.
>
> He replied that the arch build system automatically treats all .sig files
> as gpg signatures, and that this can't be switched off; that the signature
> for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and
> claimed this affects all of the file signatures.
>
> I in turn replied that I consider this a candidate for a bug report
> against the arch build system, as it shouldn't enforce treatment of
> random .sig file as gpg signature. I also pointed out that it is a
> security bug if arch linux treats .sig files without a hardcoded or
> otherwise authenticated gpg key id, and shouldn't rely on a random
> openpgp signature, even if that signature verifies. I did mention that
> I can hardly imagine that the arch build system would be that broken
> however.
>
> Again I asked for details of what is not valid with the existing
> signatures. I also pointed out that if he cannot implement the signify
> signatures automatically, he could get still get cryptographic protection
> by including a hardcoded checksum of the release tarball into the package
> build system, which would solve the problem of verification. Lastly I
> pointed out that a separate gnupg signature for every file would result
> in a rather large overhead for me, especially since no other distribution
> requires this.
>
> Up until this point, I respectfully tried to a) find out why he claims the
> signatures were not valid and b) constructively tried to find a solution
> that would work for everybody and c) get him to report bugs against the
> arch build system if it is really as broken as he described it, to improve
> arch linux.
>
> I then received a mail full of ad hominems, calling my attempts at solving
> his problem "sad", making a strange claim that it seems important for
> me that my software is used (which potentially implies a threat of not
> packaging my software if I don't comply, of course), attacked me for
> "denouncing the work of others", called my replies "disdainful rants",
> questioned my motives when I tried to improve arch linux by pointing out
> potential security issues and so on.
>
> All of which was completely uncalled for, and, frankly, most of which left
> me puzzled at where he would even get those ideas.
>
> At no point did he provide any details on his claim that the existing
> signatures were not valid.
>
> The above is an essentially complete and factual summary of the e-mail
> exchange, which I can back up by the original (german) e-mails.
>
> I can distinguish between individuals claiming to speak for arch
> linux and the body of people who actually comprise the project as a
> whole, but the fact that at least this arch maintainer tries to harass
> upstream authors into compliance with the arch build system and his very
> unprofessional and insulting style of conduct reflects back badly on
> arch linux as a whole, especially as I am writing and distributing free
> software for over 25 ysears now, and never had this kind of problem with a
> software distribution.
>
> I (of course) assume (but don't know) that enforcing compliance with
> questionable security practises is not the official position of the arch
> project as a whole.
>
> Respectfully yours,
> Marc Lehmann
>
> (1) http://dist.schmorp.de/signing-key.txt
>
> --
>                 The choice of a       Deliantra, the free code+content
> MORPG
>       -----==-     _GNU_              http://www.deliantra.net
>       ----==-- _       generation
>       ---==---(_)__  __ ____  __      Marc Lehmann
>       --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
>       -=====/_/_//_/\_,_/ /_/\_\
>

More information about the arch-general mailing list