From noloader at gmail.com Thu Apr 2 03:06:38 2020 From: noloader at gmail.com (Jeffrey Walton) Date: Wed, 1 Apr 2020 21:06:38 -0400 Subject: Someone is squatting GnuPG names Message-ID: Hi Everyone, It looks like someone is squatting the name names "GPG" and "GnuPG" (and the other subprojects). Also see https://github.com/gpg. They are even using the project's icons. Unsuspecting users don't really have a way to determine the projects are not authorized. They don't show as a fork (in the upper left hand corner). Rather they appear to be an authorized source. I found the projects when searching for the project's github. I did not learn they were fakes until Werner commented in a bug report. If the projects are fake then GnuPG should contact GitHub (and other Git-based services) and have the repos taken down. Thanks in advance. From gpg-devel at nopicturesplease.de Thu Apr 2 08:15:08 2020 From: gpg-devel at nopicturesplease.de (Holger Smolinski via [gnupg-devel]) Date: Thu, 2 Apr 2020 08:15:08 +0200 Subject: Someone is squatting GnuPG names In-Reply-To: References: Message-ID: Am 02.04.20 um 03:06 schrieb Jeffrey Walton via Gnupg-devel:> It looks like someone is squatting the name names "GPG" and "GnuPG" > (and the other subprojects). Also see https://github.com/gpg. They are > even using the project's icons. This guy, Jeroen Ooms, at UC berkeley seems to fork vand group arious repositories. Maybe he has "just" not understood unwritten naming conventions for private repositories... Could be helpful to talk to him and stay tuned for any activities which could undemine the authority of mainline GnuPG. Regards, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From look at my.amazin.horse Thu Apr 2 09:42:48 2020 From: look at my.amazin.horse (Vincent Breitmoser) Date: Thu, 02 Apr 2020 09:42:48 +0200 Subject: Someone is squatting GnuPG names In-Reply-To: References: Message-ID: <2Y5ACKDFXKC5Z.3MH3IP1XIKF7S@my.amazin.horse> > Unsuspecting users don't really have a way to determine the projects > are not authorized. They don't show as a fork (in the upper left hand > corner). Rather they appear to be an authorized source. It says "unofficial gnupg mirrors", right there in the title from your link? I agree it could be made more obvious (e.g. in repo descriptions), but it's not like he's hiding the fact. The decentralized nature of git will always lead to mirrors on pages like github, and if it wasn't this guy mirroring in a systematic manner you'd still have people pushing the repository or derivatives all over as part of their normal workflows. At least this way they stay up to date. Perhaps a friendly note asking to make a better mention of the fact the repos are mirrors and a more visible pointer to upstream would be a good idea. - V From noloader at gmail.com Thu Apr 2 10:26:12 2020 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 2 Apr 2020 04:26:12 -0400 Subject: Someone is squatting GnuPG names In-Reply-To: <2Y5ACKDFXKC5Z.3MH3IP1XIKF7S@my.amazin.horse> References: <2Y5ACKDFXKC5Z.3MH3IP1XIKF7S@my.amazin.horse> Message-ID: On Thu, Apr 2, 2020 at 3:42 AM Vincent Breitmoser wrote: > > > Unsuspecting users don't really have a way to determine the projects > > are not authorized. They don't show as a fork (in the upper left hand > > corner). Rather they appear to be an authorized source. > > It says "unofficial gnupg mirrors", right there in the title from your link? > I agree it could be made more obvious (e.g. in repo descriptions), but it's not > like he's hiding the fact. Try this out: https://github.com/gpg/gnupg. There's no indication. I made a pull request against it thinking the gnupg dev's would handle it. It fooled me and about 280 others. Why in the world would someone squat an organization's name? If it was jerome/gnupg I would have moved on. Why has GnuPG not taken action? What is the purpose of allowing people to make the mistake? Jeff From noloader at gmail.com Thu Apr 2 11:38:30 2020 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 2 Apr 2020 05:38:30 -0400 Subject: Option to build Master without --enable-maintainer-mode Message-ID: I am trying to build GnuPG and its components from Git Master. According to README.git [1], one must configure master using --enable-maintainer-mode. Maintainer mode causes a lot of problems in practice. I'm not a maintainer and I am not interested in building release tarballs or documentation. However, maintainer mode requires that I have a well configured machine to do so. Some machines I test on do not have the tools available. Other machines I have are resource constrained and I don't want to waste the cpu cycles to build the docs. Other machines I have lack the storage and quickly run out of disk space due to unneeded documentation. Finally, due to bugs with GhostScript and Convert, the docs don't even build on some platforms due to some policy decision. The README.git also say we must './configure --enable-maintainer-mode' to install missing files. This is not true: # Satisfy requirements, install missing files ./configure --enable-maintainer-mode # Now build for real ./configure && make -j 8 The files are still missing after './configure --enable-maintainer-mode'. The regular 'configure && make' will still fail due to missing files. I think the project needs to supply a --enable-qa-mode so folks like me can test the sources without futzing around with release tarballs or documentation. If interested, here is the carnage --enable-maintainer-mode causes: https://travis-ci.org/github/noloader/gnupg/builds/670053355 . The GitHub fork repeatedly builds the entire GnuPG suite using Travis jobs in different configurations. The red X's indicate failed builds. Most of the failures are due to problems in building the docs. [1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=README.GIT;h=57dab7a213c48884dec8b73ea17ca563c3d77908;hb=HEAD From wk at gnupg.org Thu Apr 2 21:36:21 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 Apr 2020 21:36:21 +0200 Subject: Someone is squatting GnuPG names In-Reply-To: (Jeffrey Walton via Gnupg-devel's message of "Thu, 2 Apr 2020 04:26:12 -0400") References: <2Y5ACKDFXKC5Z.3MH3IP1XIKF7S@my.amazin.horse> Message-ID: <874ku1smru.fsf@wheatstone.g10code.de> On Thu, 2 Apr 2020 04:26, Jeffrey Walton said: > Why has GnuPG not taken action? What is the purpose of allowing people > to make the mistake? It is free software and thus everyone may take, modify and publish copies. IIRC, the Jeroen once contacted me and he agreed to add a note stating that it is not the official/primary repo. For 25 years or so new projects register a .org domain and that should be the first try to locate development versions. In case of GnuPG, you can also look into the AUTHORS file (or Debian's copyright file) to figure out where the main developers put there work. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jeroen at berkeley.edu Sat Apr 4 18:03:22 2020 From: jeroen at berkeley.edu (Jeroen Ooms) Date: Sat, 4 Apr 2020 18:03:22 +0200 Subject: Someone is squatting GnuPG names In-Reply-To: <874ku1smru.fsf@wheatstone.g10code.de> References: <2Y5ACKDFXKC5Z.3MH3IP1XIKF7S@my.amazin.horse> <874ku1smru.fsf@wheatstone.g10code.de> Message-ID: On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel wrote: > > On Thu, 2 Apr 2020 04:26, Jeffrey Walton said: > > > Why has GnuPG not taken action? What is the purpose of allowing people > > to make the mistake? > > It is free software and thus everyone may take, modify and publish > copies. IIRC, the Jeroen once contacted me and he agreed to add a note > stating that it is not the official/primary repo. > > For 25 years or so new projects register a .org domain and that should > be the first try to locate development versions. In case of GnuPG, you > can also look into the AUTHORS file (or Debian's copyright file) to > figure out where the main developers put there work. Indeed, we use this git mirror (not fork) to make the GnuPG sources more accessible for ourselves and other Github users. Github has nice tools for browsing, searching, and tracking development which are not available from the GnuPG git server. The code is not modified in any way, so it is really no different than mirroring the tarballs. This is all in the scope of the GNU license. I find it strange to hear OP talk about "authorized source" as if it concerns his personal proprietary software and copies should be taken down. This is merely a mirror to increase the visibility and accessibility of GnuPG source code for the large number of Github users and the larger public. There are many other open source git organizations that develop in a self-hosted git server but still host a mirror on Github: https://github.com/freedesktop We make it obvious in the description of the Github account that this is an unofficial mirror. In case people somehow miss that and send a pull request, we reply that this is a mirror and point them to the official sources: https://github.com/gpg/gnupg/pulls?q=is%3Apr+is%3Aclosed If somebody within the GnuPG team wants to take over the mirroring process, I am happy to transfer ownership of the Github account, but last time I asked, nobody was interested. From uri at mit.edu Sat Apr 4 20:52:37 2020 From: uri at mit.edu (Uri Blumenthal) Date: Sat, 4 Apr 2020 18:52:37 +0000 Subject: Someone is squatting GnuPG names In-Reply-To: References: Message-ID: <34FC55F2-B1DB-4DF5-8BAE-3DCB22167134@mit.edu> "Authorized" in the context means "maintained by somebody trusted (by the community) to introduce no malicious changes, and faithfully reproduce the original/upstream code". This concern exists for all the software, security-related and not, open source and proprietary. But for some, like GnuPG, because of their role in the community, it matters more. It's good to know that this is the "official" GitHub mirror, because I wouldn't want to download "doctored" source, and don't have resources to scrutinize all the source sufficiently to detect such changes. > On Apr 4, 2020, at 13:33, Jeroen Ooms wrote: > > ?On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel > wrote: >> >> On Thu, 2 Apr 2020 04:26, Jeffrey Walton said: >> >>> Why has GnuPG not taken action? What is the purpose of allowing people >>> to make the mistake? >> >> It is free software and thus everyone may take, modify and publish >> copies. IIRC, the Jeroen once contacted me and he agreed to add a note >> stating that it is not the official/primary repo. >> >> For 25 years or so new projects register a .org domain and that should >> be the first try to locate development versions. In case of GnuPG, you >> can also look into the AUTHORS file (or Debian's copyright file) to >> figure out where the main developers put there work. > > Indeed, we use this git mirror (not fork) to make the GnuPG sources > more accessible for ourselves and other Github users. Github has nice > tools for browsing, searching, and tracking development which are not > available from the GnuPG git server. > > The code is not modified in any way, so it is really no different than > mirroring the tarballs. This is all in the scope of the GNU license. I > find it strange to hear OP talk about "authorized source" as if it > concerns his personal proprietary software and copies should be taken > down. This is merely a mirror to increase the visibility and > accessibility of GnuPG source code for the large number of Github > users and the larger public. There are many other open source git > organizations that develop in a self-hosted git server but still host > a mirror on Github: https://github.com/freedesktop > > We make it obvious in the description of the Github account that this > is an unofficial mirror. In case people somehow miss that and send a > pull request, we reply that this is a mirror and point them to the > official sources: > https://github.com/gpg/gnupg/pulls?q=is%3Apr+is%3Aclosed > > If somebody within the GnuPG team wants to take over the mirroring > process, I am happy to transfer ownership of the Github account, but > last time I asked, nobody was interested. > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2894 bytes Desc: not available URL: From gpg-devel at nopicturesplease.de Sun Apr 5 21:03:33 2020 From: gpg-devel at nopicturesplease.de (Holger Smolinski via [gnupg-devel]) Date: Sun, 5 Apr 2020 21:03:33 +0200 Subject: Someone is squatting GnuPG names In-Reply-To: References: <2Y5ACKDFXKC5Z.3MH3IP1XIKF7S@my.amazin.horse> <874ku1smru.fsf@wheatstone.g10code.de> Message-ID: <8336164b-dee3-1653-07e7-6601e62186b2@nopicturesplease.de> Dear Jeroen, Am 04.04.20 um 18:03 schrieb Jeroen Ooms: > On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel > wrote: >> On Thu, 2 Apr 2020 04:26, Jeffrey Walton said: >>> Why has GnuPG not taken action? What is the purpose of allowing people >>> to make the mistake? >> It is free software and thus everyone may take, modify and publish >> copies. IIRC, the Jeroen once contacted me and he agreed to add a note >> stating that it is not the official/primary repo. >> [...] > Indeed, we use this git mirror (not fork) to make the GnuPG sources > more accessible for ourselves and other Github users. Github has nice > tools for browsing, searching, and tracking development which are not > available from the GnuPG git server. thanks for the clarification. I have been erroneously calssifying you mirror as a fork. Actually, I believe that for security software the existence of (unofficial) mirrors is kind of a double-sided sword. On the one hand is is beneficial avoid having only a single source of distribution as a single point of failure. On the other hand there is a risk of untrusted changes making their way into any replica of the official sources. A pure mirror, that is an exact copy of the master, is no problem, ideally it would publish a proof of being identical to the master. Any forks, means copies which can include different code, are no problem if, by effective measures, precautions are made to avoid any disambiguation from the master. A link to the master copy is minimum. Ideally, and I guess enforcement is limited, except by trade mark laws (as in Apache license), any fork with deviating code should include also a warning in huge friendly letters, that this code in not to be used in any critical environment. In your case, there is the little caveat of github.com/gpg being a location where people from this century would expect the one and only source of truth. Which remains true as long as your mirror is still a mirror. The next step I foresee is developers attempting to contribute to the official source by forking from your mirror and creating github pull requests, rather than sticking to the rules of the project...you see where this could lead to, dont you? Maybe you want to add an additional hint, that you repo is a read-only mirror and contributions MUST be directed through the official ways in order to go upstream, as this is security relevant software. What do you think? Best Regards Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Mon Apr 6 12:51:34 2020 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 Apr 2020 12:51:34 +0200 Subject: Someone is squatting GnuPG names In-Reply-To: <34FC55F2-B1DB-4DF5-8BAE-3DCB22167134@mit.edu> (Uri Blumenthal's message of "Sat, 4 Apr 2020 18:52:37 +0000") References: <34FC55F2-B1DB-4DF5-8BAE-3DCB22167134@mit.edu> Message-ID: <87a73oopjd.fsf@wheatstone.g10code.de> On Sat, 4 Apr 2020 18:52, Uri Blumenthal said: > It's good to know that this is the "official" GitHub mirror, because I Given that Git is a decentralized VCS, it is not easy to say what is official (i.e. from the usual upstream authors) and is non-official. There is an easy solution however: Most of us sign our commits and all release tags are also signed with the release key. And well there are official release tarballs; we consider everything take directly from a a repo as a development version. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From kirelagin at gmail.com Wed Apr 15 13:05:08 2020 From: kirelagin at gmail.com (Kirill Elagin) Date: Wed, 15 Apr 2020 14:05:08 +0300 Subject: gpgme [PATCH] Fix python tests on non-Linux Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-python-tests-on-non-Linux.patch Type: application/octet-stream Size: 1741 bytes Desc: not available URL: From robbat2 at gentoo.org Sat Apr 18 20:39:39 2020 From: robbat2 at gentoo.org (Robin H. Johnson) Date: Sat, 18 Apr 2020 18:39:39 +0000 Subject: list-options vs unusable keys (not subkeys or uids) Message-ID: TL;DR: Could --list-options easily gain flags to hide the revoked/expired keys entirely? The manpage has --list-options, with the following > show-unusable-uids > Show revoked and expired user IDs in key listings. Defaults to no. > show-unusable-subkeys > Show revoked and expired subkeys in key listings. Defaults to no. This lets you easily exclude UIDs and subkeys. It does not let you exclude entire keys that are not usable. I'd like to be able to easily see just the usable keys in my keyring, while not removing any of the unusable keys (e.g. I might want to go and read mail from a decade ago that I have in my archives, and it still has the original signature because the files are effectively read-only). -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robbat2 at gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1113 bytes Desc: not available URL: From liste at secarica.ro Sun Apr 19 18:50:29 2020 From: liste at secarica.ro (Cristian =?UTF-8?Q?Secar=C4=83?=) Date: Sun, 19 Apr 2020 19:50:29 +0300 Subject: where can I find the localization source code files for Kleopatra ? Message-ID: <20200419195029.00003089@secarica.ro> Hello, I would like to add some missing localization strings for my language (Romanian) for Kleopatra ? not necessarily upstream, but at least for myself. However, I am not able to find the source code, particularly the language files (.pot template and existing .po files). GPG4Win doesn't seem to have the source code for Kleopatra component and on KDE I only found some very old files. It is possible, however, that I do not know how to properly look there. Also the project I found on github does not contain any .po* files [1]. So, question: any idea where can I find the most recent localization source code files for Kleopatra ? Thank you, Cristi [1] https://github.com/KDE/kleopatra -- Cristian Secar? https://www.secarica.ro From yurchor at ukr.net Sun Apr 19 20:47:47 2020 From: yurchor at ukr.net (Yuri Chornoivan) Date: Sun, 19 Apr 2020 21:47:47 +0300 Subject: where can I find the localization source code files for Kleopatra ? In-Reply-To: <20200419195029.00003089@secarica.ro> References: <20200419195029.00003089@secarica.ro> Message-ID: <2960294.qyYV8MjTSV@localhost.localdomain> ??????, 19 ?????? 2020 ?. 19:50:29 EEST Cristian Secar? ????????: > Hello, > > I would like to add some missing localization strings for my language > (Romanian) for Kleopatra ? not necessarily upstream, but at least for > myself. However, I am not able to find the source code, particularly > the language files (.pot template and existing .po files). > > GPG4Win doesn't seem to have the source code for Kleopatra component > and on KDE I only found some very old files. It is possible, however, > that I do not know how to properly look there. Also the project I found > on github does not contain any .po* files [1]. > > So, question: any idea where can I find the most recent localization > source code files for Kleopatra ? > > Thank you, > Cristi > > [1] https://github.com/KDE/kleopatra Hi, In KDE Subversion repo, for sure. Template (updated every day): https://websvn.kde.org/*checkout*/trunk/l10n-kf5/templates/messages/pim/ kleopatra.pot Romanian translation (synced): http://websvn.kde.org/*checkout*/trunk/l10n-kf5/ro/messages/pim/kleopatra.po Other files for Kleopatra can be found here: https://l10n.kde.org/stats/gui/trunk-kf5/team/ro/pim/ Best regards, Yuri From bernhard at intevation.de Wed Apr 22 14:07:12 2020 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 22 Apr 2020 14:07:12 +0200 Subject: GnuPG 2.2 on elder Debian & Ubuntu distros Message-ID: <202004221407.18107.bernhard@intevation.de> Phil, Am Freitag 27 Oktober 2017 18:24:45 schrieb Phil Pennock: > Thus at I have packages still cool! I've added them to https://wiki.gnupg.org/PlatformNotes now. :) Best Regards, Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. URL: