[pacman-dev] [ Package Signing ] Your signature please

IgnorantGuru jgj7.pacmandev at mailnull.com
Sat Feb 19 09:33:29 EST 2011


On Sat, 19 Feb 2011 23:46:57 +1000
Allan McRae <allan at archlinux.org> wrote:

> Or is it less secure to write our own code (reviewed by perhaps two 
> people total) to launch and parse the output of gpg or use the
> wrapper provided by the gpgp devs.  Note that gpgme just calls gpg,
> so you can still replace that with a wrapper and do everything you
> just pointed out.

I actually don't have huge problems with gpgme, but you said you couldn't understand my point, so I explained.  Based on what I have seen over the years, I still think parsing the text is wiser.  Anything which makes security mechanisms more transparent improves security, in general.  But I understand why APIs are so inviting (to developers and hackers alike).

> 1) I understand its importance

I don't believe so, or you would give it higher priority.  Apparently we need a hacker to exploit this and inconvenience huge numbers of people for YOU to see the importance, Microsoft-style, but that's a very lazy and irresponsible approach.

> 2) I am not "working" on anything. I am volunteering my time.

I find that a poor attitude, as I've always considered freeware (and other volunteer WORK) among the most important WORK I do, but obviously you've got some issues about developing freeware.  If you're that miserable, don't do it.  A bitter baker bakes a bitter bread.  You're taking the joy out of development with your approach IMO.  One of the joys of being a freeware developer is that you're free.  Turning it into an obligation that you whine about is missing the joy of it.  So like I said, if you're that miserable, don't do it - no one is going to make your misery worth it by paying you $1000 for this, like in your 'real work'.

> 3) I am not sabotaging anything.  I have reviewed all patches
> submitted here for package signing and have pulled them to a git repo
> and even spent time fixing the current implementation.

I do acknowledge that you've brought this forward a bit, but your attitude about your _work_ gives me great cause for concern.  When you work with any area of cryptography, remember that lives and certainly livelihoods can literally depend on your keystrokes (even though you may not want or expect them to), so get behind your work or don't do it.  This isn't just a toy, free though it may be.



More information about the pacman-dev mailing list