Someone is squatting GnuPG names

Uri Blumenthal uri at mit.edu
Sat Apr 4 20:52:37 CEST 2020


 "Authorized" in the context means "maintained by somebody trusted (by the community) to introduce no malicious changes, and faithfully reproduce the original/upstream code".

This concern exists for all the software, security-related and not, open source and proprietary. But for some, like GnuPG, because of their role in the community, it matters more.

It's good to know that this is the "official" GitHub mirror, because I wouldn't want to download "doctored" source, and don't have resources to scrutinize all the source sufficiently to detect such changes.


> On Apr 4, 2020, at 13:33, Jeroen Ooms <jeroen at berkeley.edu> wrote:
> 
> On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel
> <gnupg-devel at gnupg.org> wrote:
>> 
>> On Thu,  2 Apr 2020 04:26, Jeffrey Walton said:
>> 
>>> Why has GnuPG not taken action? What is the purpose of allowing people
>>> to make the mistake?
>> 
>> It is free software and thus everyone may take, modify and publish
>> copies.  IIRC, the Jeroen once contacted me and he agreed to add a note
>> stating that it is not the official/primary repo.
>> 
>> For 25 years or so new projects register a .org domain and that should
>> be the first try to locate development versions.  In case of GnuPG, you
>> can also look into the AUTHORS file (or Debian's copyright file) to
>> figure out where the main developers put there work.
> 
> Indeed, we use this git mirror (not fork) to make the GnuPG sources
> more accessible for ourselves and other Github users. Github has nice
> tools for browsing, searching, and tracking development which are not
> available from the GnuPG git server.
> 
> The code is not modified in any way, so it is really no different than
> mirroring the tarballs. This is all in the scope of the GNU license. I
> find it strange to hear OP talk about "authorized source" as if it
> concerns his personal proprietary software and copies should be taken
> down. This is merely a mirror to increase the visibility and
> accessibility of GnuPG source code for the large number of Github
> users and the larger public. There are many other open source git
> organizations that develop in a self-hosted git server but still host
> a mirror on Github: https://github.com/freedesktop
> 
> We make it obvious in the description of the Github account that this
> is an unofficial mirror. In case people somehow miss that and send a
> pull request, we reply that this is a mirror and point them to the
> official sources:
> https://github.com/gpg/gnupg/pulls?q=is%3Apr+is%3Aclosed
> 
> If somebody within the GnuPG team wants to take over the mirroring
> process, I am happy to transfer ownership of the Github account, but
> last time I asked, nobody was interested.
> 
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2894 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20200404/17eeede9/attachment.bin>


More information about the Gnupg-devel mailing list