[pacman-dev] [ Package Signing ] Your signature please

Sat Feb 19 13:51:33 EST 2011

On Sun 20 Feb 2011 01:24 +1000, Allan McRae wrote:
> On 20/02/11 00:33, IgnorantGuru wrote:
> >On Sat, 19 Feb 2011 23:46:57 +1000
> >Allan McRae<allan at archlinux.org>  wrote:
> >
> >>Or is it less secure to write our own code (reviewed by perhaps two
> >>people total) to launch and parse the output of gpg or use the
> >>wrapper provided by the gpgp devs.  Note that gpgme just calls gpg,
> >>so you can still replace that with a wrapper and do everything you
> >>just pointed out.
> >
> >I actually don't have huge problems with gpgme, but you said you couldn't understand my point, so I explained.  Based on what I have seen over the years, I still think parsing the text is wiser.  Anything which makes security mechanisms more transparent improves security, in general.  But I understand why APIs are so inviting (to developers and hackers alike).
> >
> >>1) I understand its importance
> >
> >I don't believe so, or you would give it higher priority.  Apparently we need a hacker to exploit this and inconvenience huge numbers of people for YOU to see the importance, Microsoft-style, but that's a very lazy and irresponsible approach.
> 
> Let me rephrase that:  I understand its importance _to other people_.
> 
> As I have said, this whole issue does not particularly affect me so I give
> it low priority.  I really do not care if it affects others.  I develop
> pacman and Arch Linux to improve my computing experience.  If others get
> benefit from my work, then that is a bonus.
> 
> >>2) I am not "working" on anything. I am volunteering my time.
> >
> >I find that a poor attitude, as I've always considered freeware (and
> >other volunteer WORK) among the most important WORK I do, but
> >obviously you've got some issues about developing freeware.  If
> >you're that miserable, don't do it.  A bitter baker bakes a bitter
> >bread.  You're taking the joy out of development with your approach
> >IMO.  One of the joys of being a freeware developer is that you're
> >free.  Turning it into an obligation that you whine about is missing
> >the joy of it.  So like I said, if you're that miserable, don't do it
> >- no one is going to make your misery worth it by paying you $1000
> >for this, like in your 'real work'.
> 
> I think we have just agreed... in a way.  I should focus on the areas that
> make me a happy contributor.  If that does not happen to be package signing,
> then so be it.
> 
> >>3) I am not sabotaging anything.  I have reviewed all patches
> >>submitted here for package signing and have pulled them to a git repo
> >>and even spent time fixing the current implementation.
> >
> >I do acknowledge that you've brought this forward a bit, but your
> >attitude about your _work_ gives me great cause for concern.  When
> >you work with any area of cryptography, remember that lives and
> >certainly livelihoods can literally depend on your keystrokes (even
> >though you may not want or expect them to), so get behind your work
> >or don't do it.  This isn't just a toy, free though it may be.
> 
> I think I know every distribution using pacman as a package manager and
> (unless there is an enterprise level distro I am missing) if peoples lives
> depend on one of these distros, then I am sorry to say it but in my opinion
> they are stupid and deserve to die.

Yeah! Archers deserve to die!

But really I'm not convinced by this hyper-paranoia trash.
There will always be ways to compromise your machine. Someone who would
go through the trouble of setting up a proxy mirror and injecting
malicious code into seemingly normal packages is probably going to find
other ways. Package signing will not protect you.

You will never be safe.
The truth is out there.