[pacman-dev] [ Package Signing ] Your signature please

Allan McRae allan at archlinux.org
Sat Feb 19 10:24:53 EST 2011


On 20/02/11 00:33, IgnorantGuru wrote:
> On Sat, 19 Feb 2011 23:46:57 +1000
> Allan McRae<allan at archlinux.org>  wrote:
>
>> Or is it less secure to write our own code (reviewed by perhaps two
>> people total) to launch and parse the output of gpg or use the
>> wrapper provided by the gpgp devs.  Note that gpgme just calls gpg,
>> so you can still replace that with a wrapper and do everything you
>> just pointed out.
>
> I actually don't have huge problems with gpgme, but you said you couldn't understand my point, so I explained.  Based on what I have seen over the years, I still think parsing the text is wiser.  Anything which makes security mechanisms more transparent improves security, in general.  But I understand why APIs are so inviting (to developers and hackers alike).
>
>> 1) I understand its importance
>
> I don't believe so, or you would give it higher priority.  Apparently we need a hacker to exploit this and inconvenience huge numbers of people for YOU to see the importance, Microsoft-style, but that's a very lazy and irresponsible approach.

Let me rephrase that:  I understand its importance _to other people_.

As I have said, this whole issue does not particularly affect me so I 
give it low priority.  I really do not care if it affects others.  I 
develop pacman and Arch Linux to improve my computing experience.  If 
others get benefit from my work, then that is a bonus.

>> 2) I am not "working" on anything. I am volunteering my time.
>
> I find that a poor attitude, as I've always considered freeware (and other volunteer WORK) among the most important WORK I do, but obviously you've got some issues about developing freeware.  If you're that miserable, don't do it.  A bitter baker bakes a bitter bread.  You're taking the joy out of development with your approach IMO.  One of the joys of being a freeware developer is that you're free.  Turning it into an obligation that you whine about is missing the joy of it.  So like I said, if you're that miserable, don't do it - no one is going to make your misery worth it by paying you $1000 for this, like in your 'real work'.

I think we have just agreed... in a way.  I should focus on the areas 
that make me a happy contributor.  If that does not happen to be package 
signing, then so be it.

>> 3) I am not sabotaging anything.  I have reviewed all patches
>> submitted here for package signing and have pulled them to a git repo
>> and even spent time fixing the current implementation.
>
> I do acknowledge that you've brought this forward a bit, but your attitude about your _work_ gives me great cause for concern.  When you work with any area of cryptography, remember that lives and certainly livelihoods can literally depend on your keystrokes (even though you may not want or expect them to), so get behind your work or don't do it.  This isn't just a toy, free though it may be.

I think I know every distribution using pacman as a package manager and 
(unless there is an enterprise level distro I am missing) if peoples 
lives depend on one of these distros, then I am sorry to say it but in 
my opinion they are stupid and deserve to die.

Allan



More information about the pacman-dev mailing list