[aur-general] TU application: Jonas Witschel (diabonas)

Bruno Pagani bruno.n.pagani at gmail.com
Thu Sep 5 19:53:31 UTC 2019

Hi there,

On 05/09/2019 17:23, Jonas Witschel wrote:
> Hi all,
> my name is Jonas Witschel (online nick "diabonas" on the
> AUR/GitHub/GitLab/...) and I am applying as an Arch Linux Trusted User
> under the sponsorship of Bruno Pagani and Alad Wenter.

I hereby confirm my sponsorship of Jonas. :) I have known him since I
took over some tpm2 stuff into [community] as required dependencies for
fwupd very early this year, and have ever since been amazed by his work.
More on that below. ;)

> […]
> I am interested in many security-related thing such as Secure Boot,
> Trusted Platform Modules (TPMs), disk encryption, PGP, ... As such, I am
> a member of the tpm2-software organisation and a maintainer of tpm2-totp
> [1]. Recently I have been working on getting Web Key Directory support
> into pacman for fetching PGP keys independently of the key server
> network [2,3]. A repository of all my AUR packages can be found on
> Gitlab [4].

I am really interested in Jonas work on security and TPM in particular,
I think there is quite some space to be filled on boot security in our
tools and documentation. I think Jonas will be of great expertise in
this particular area.

> If I were accepted as a trusted user, I would take over maintenance of
> the tpm2-software stack from my sponsor Bruno Pagani. This makes sense
> since I am an upstream member of tpm2-software anyway and had been
> maintaining these packages until they were adopted to [community].

That is the part where I need to disagree. ;) Not on Jonas taking
maintainership of those packages again of course (we naturally discussed
this beforehand), but on the fact he ever stopped maintaining them. I
would just say he stopped committing the changes by himself, but that’s
barely all. Everyone is free to see the kind of OOD messages he has been
letting me over the past months, as can still be viewed on tpm2-tss[0]
that I did not have time to update yet. So as a matter of facts, I
consider Jonas has remained the actual maintainer of the tpm2 stack even
after I moved some parts of it into [community]. It would hence just be
logical for me that he gets the commit rights necessary to pursue this
job by himself (also, I could make use of some pkgnumber reduction…). :)

> Another long-time goal as a trusted user would be getting out of the box
> Secure Boot support for the Arch Linux installation images [5,6].
> Packages I would like to adopt from the AUR to [community] for starters are:
> - The rest of the tpm2-software stack: tpm2-tss-engine and tpm2-totp
> (when they have reached the 1% usage from pkgstats/10 votes on the AUR
> threshold), tpm2-pkcs11-git (as soon as it gets a release).
> - clevis and tang (and their dependencies jose, luksmeta)
> - sbupdate-git (I need to speak to upstream about making a release first)
> - paperkey
> - cryptomator
> - deheader
> - texworks
> - pdftk-java (an exact Java reimplementation of the very popular
> pdftk/pdftk-bin, which is hard to package since it relies on an outdated
> version of GCC)

I should say that despite what the appearances could look like (e.g. no
bunch of commits fixing issues on all packages at roughly the same
time), I actually reviewed Jonas packages but only found two or three
minor nits. As well, when I moved some of the tpm2 packages into
[community], I mostly had just to copy the PKGBUILD verbatim.

> I am looking forward to working with you and welcome any questions and
> comments!

And I definitively look forward to working with you as part of our TU
team too! I wish you good luck with your application and hope you’ll
convince everyone just as Alad and I were. ;)


[0] https://www.archlinux.org/packages/community/x86_64/tpm2-tss/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20190905/acf06d23/attachment-0001.sig>

More information about the aur-general mailing list