(Please (also) reply personally to me if you want me to read a reply, as I don't monitor the list). Hi! I was recently harassed by David Runge <dave@xxxxxxxxxxx>, by e-mail. I don't know if this is the right place to report this, but I looked at the wiki and the code of conduct, and this seemed the most fitting place (as there doesn't seem to be a specific contact for this kind of issue). If I am wrong, and there is a better place to send this to, I'd be happy to be redirected. Background: I am the author and/or maintainer of various software packages such as rxvt-unicode or gnu vpe, many of which are distributed as part of popular software distributions such as Debian GNU/Linux and others. A few of my packages are distributed on http://dist.schmorp.de/, backed up by signify signaturs, in turn backed up by gpg(1), and other means. On 2019-05-10 I was contacted, in german, by David Runge (pgp fingerprint 91BD8815...). He stated that he is in the process of packaging php-redis and liblzf (my software package) for arch linux, and claimed that the signatures on my server are not valid, which would be a serious issue for data integrity, so I was quite alarmed. He also asked whether I could provide individual gpg signatures instead, as, apparently, the arch build system treats all .sig files as gpg files and that not doing this would make it impossible to verify the downloads. I immediately asked him what is wrong with the signatures and why they wouldn't be valid, what file exactly does not verify and how exactly does he verify them. I also pointed him at the documentation on the signatures in (1) and offered to help in case of problems. He replied that the arch build system automatically treats all .sig files as gpg signatures, and that this can't be switched off; that the signature for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and claimed this affects all of the file signatures. I in turn replied that I consider this a candidate for a bug report against the arch build system, as it shouldn't enforce treatment of random .sig file as gpg signature. I also pointed out that it is a security bug if arch linux treats .sig files without a hardcoded or otherwise authenticated gpg key id, and shouldn't rely on a random openpgp signature, even if that signature verifies. I did mention that I can hardly imagine that the arch build system would be that broken however. Again I asked for details of what is not valid with the existing signatures. I also pointed out that if he cannot implement the signify signatures automatically, he could get still get cryptographic protection by including a hardcoded checksum of the release tarball into the package build system, which would solve the problem of verification. Lastly I pointed out that a separate gnupg signature for every file would result in a rather large overhead for me, especially since no other distribution requires this. Up until this point, I respectfully tried to a) find out why he claims the signatures were not valid and b) constructively tried to find a solution that would work for everybody and c) get him to report bugs against the arch build system if it is really as broken as he described it, to improve arch linux. I then received a mail full of ad hominems, calling my attempts at solving his problem "sad", making a strange claim that it seems important for me that my software is used (which potentially implies a threat of not packaging my software if I don't comply, of course), attacked me for "denouncing the work of others", called my replies "disdainful rants", questioned my motives when I tried to improve arch linux by pointing out potential security issues and so on. All of which was completely uncalled for, and, frankly, most of which left me puzzled at where he would even get those ideas. At no point did he provide any details on his claim that the existing signatures were not valid. The above is an essentially complete and factual summary of the e-mail exchange, which I can back up by the original (german) e-mails. I can distinguish between individuals claiming to speak for arch linux and the body of people who actually comprise the project as a whole, but the fact that at least this arch maintainer tries to harass upstream authors into compliance with the arch build system and his very unprofessional and insulting style of conduct reflects back badly on arch linux as a whole, especially as I am writing and distributing free software for over 25 ysears now, and never had this kind of problem with a software distribution. I (of course) assume (but don't know) that enforcing compliance with questionable security practises is not the official position of the arch project as a whole. Respectfully yours, Marc Lehmann (1) http://dist.schmorp.de/signing-key.txt -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp@xxxxxxxxxx -=====/_/_//_/\_,_/ /_/\_\
