Hi Daniel,
Thank you very much again for taking the time to respond to my offensive
email that i'm not proud of :/
Le 2024-08-07 01:57, Daniel Kahn Gillmor a écrit :
Hi Sébastien--
[...]
I don't understand why you, with your "downstream packager hat", have
to
rethink about that.
As a downstream packager, i think about what i'm responsible for
maintaining and distributing to other users. In the case of GnuPG, i
started doing maintenance work on it in Debian because i see it as a
piece of critical infrastructure that needed a hand. That does not
obligate me to distribute additional things that i think are not
critical infrastructure, or indeed might be actively risky for
downstream users.
this makes perfect sense.
- If the "security implications of connecting GnuPG to your web
browser"
where so severe, don't you think that "upstream" wouldn't have
developed
this if it was insecure ? If you had any concern, that should be
raised
to another level with your "upstream developer hat".
While the GnuPG developers have occasionally seen me as part of
"upstream" in the past, i would guess that they don't see me that way
today. And at any rate, they are as free to disagree with me as i am
with them. Just because they want to hook their secret key material up
to their web browser doesn't mean it's something i am obliged to spend
my time supporting.
that's my main point: you are under no obligation to support it
yourself, help & code is provided here, but that help seemed to be
un-welcome/ignored :/
fwiw, i was really happy with this idea, years ago, and even helped to
get the FireGPG browser extension packaged for debian. It turned out
that was a bad idea, because of UX security problems that were never
adequately resolved to my knowledge. Once bitten, twice shy.
My understanding is that Mailvelope (one consumer of gpgme-json, aiui)
may have similar concerns around in-browser UI, javascript, and
same-origin policy -- have you done the analysis that shows that
mailvelope is safe to use in that context? For example, are we
confident that gmail can't exfiltrate decrypted messages, or spoof
signature status for people who use mailvelope? (i'm hoping the answer
is that mailvelope is safe, but i haven't read such an analysis, nor
have i conducted it myself) What about for other consumers of
gpgme-json?
I am in no position to have done any security analysis of any GnuPG
component.
But I am the kind of person that trust upstream devs. So if GnuPG offers
a binary that browsers can use IF they clear the way by providing a file
with some kind of UID to identify extensions that are permitted to use
it, i'm the kind of person that will blindly trust the system.
Call me naive but that's who i am.
Put more broadly: What's the goal here in terms of our users? What
functionality are we trying to offer users (or developers)? What risks
are we exposing them to?
The goal is to allows Mailvelope to talk to secret key material.
Only Mailvelope.
And i want to emphase that it *talks* to secret key material, it doesn't
have access to it (secrets keys still doesn't leave the
opengpgcard/yubikey/whatever-hardware-you-have)
But certainly not by doing obstruction here in Debian.
I'm not trying to do "obstruction", for what it's worth. I'm simply
rationing my time and emotional energy. I've been asking more people
to
step up to help with the packaging, infrastructure, and security work
here for years, and Andreas Metzler has been one of the few people to
step up with any significant effort (thank you Andreas!) I'm sorry i
haven't had the capacity to review additional work that seems
fundamentally risky to me.
ACK; sorry for using the strong word "obstruction".
What I wanted to reflect was the feeling that i was talking to /dev/null
until now.
Which patches are you asking for review on?
[...]
I was talking about the commits here
https://salsa.debian.org/twolife/gpgme/-/commits/gpgmejson
that i pointed in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911189#84
I didn't make another MR, as the other ones where ignored.
I simply assumed you were one of the many DD that dislike MR on salsa;
like it seems to be a majority of DD, based on
- the number of my own ignored MR
- the thread about DEP-18 on d-devel ML, if i interpret it correctly
So i posted it to debbugs. But it was also ignored.
One of the many things that makes me angry and write insulting emails
:-/
But if all you want is an updated/non-conflicting MR, i can do that in
seconds.
Once reviews are done & comments posted, corrections will comes.
OK, i've now added some comments on MR !2, since i'm not sure where
else
you want the comments. I hope they're understandable.
except for the part where you ask for an analysis, i'm sure I can answer
to everything else. I will do that promptly.
But right now all you are doing is playing for time.
I'm not "playing for time", i'm spending my time trying to communicate
the concerns i have
You are communicating *now*, that's the big difference between now & the
last 4 years on this front.
Again: thank you.
best regards,
Sébastien
and hoping that folks who share those concerns but
still want to advance the project would (a) provide reasoned discussion
about those concerns, and (b) would try to demonstrate that the code
they're proposing is working, is safe to use, and is not going to
increase the maintenance burden i'm already failing at.
Sorry for not being nicer, but once again i fell that those with an
@debian.org email address are just shitting on the others.
I do not mean to shit on you, or on anyone else. I welcome
contributions, and i'm sorry for my own lack of capacity, but i really
am a limited human being.
All the best,
--dkg
