Someone is squatting GnuPG names
Holger Smolinski via [gnupg-devel]
gpg-devel at nopicturesplease.de
Sun Apr 5 21:03:33 CEST 2020
Dear Jeroen,
Am 04.04.20 um 18:03 schrieb Jeroen Ooms:
> On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel
> <gnupg-devel at gnupg.org> wrote:
>> On Thu, 2 Apr 2020 04:26, Jeffrey Walton said:
>>> Why has GnuPG not taken action? What is the purpose of allowing people
>>> to make the mistake?
>> It is free software and thus everyone may take, modify and publish
>> copies. IIRC, the Jeroen once contacted me and he agreed to add a note
>> stating that it is not the official/primary repo.
>> [...]
> Indeed, we use this git mirror (not fork) to make the GnuPG sources
> more accessible for ourselves and other Github users. Github has nice
> tools for browsing, searching, and tracking development which are not
> available from the GnuPG git server.
thanks for the clarification. I have been erroneously calssifying you
mirror as a fork. Actually, I believe that for security software the
existence of (unofficial) mirrors is kind of a double-sided sword. On
the one hand is is beneficial avoid having only a single source of
distribution as a single point of failure. On the other hand there is a
risk of untrusted changes making their way into any replica of the
official sources.
A pure mirror, that is an exact copy of the master, is no problem,
ideally it would publish a proof of being identical to the master.
Any forks, means copies which can include different code, are no problem
if, by effective measures, precautions are made to avoid any
disambiguation from the master. A link to the master copy is minimum.
Ideally, and I guess enforcement is limited, except by trade mark laws
(as in Apache license), any fork with deviating code should include also
a warning in huge friendly letters, that this code in not to be used in
any critical environment.
In your case, there is the little caveat of github.com/gpg being a
location where people from this century would expect the one and only
source of truth. Which remains true as long as your mirror is still a
mirror. The next step I foresee is developers attempting to contribute
to the official source by forking from your mirror and creating github
pull requests, rather than sticking to the rules of the project...you
see where this could lead to, dont you?
Maybe you want to add an additional hint, that you repo is a read-only
mirror and contributions MUST be directed through the official ways in
order to go upstream, as this is security relevant software. What do you
think?
Best Regards
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20200405/6cfb64d4/attachment-0001.sig>
More information about the Gnupg-devel
mailing list