Mailing List Archive

Am 02.04.20 um 03:06 schrieb Jeffrey Walton via Gnupg-devel:> It looks
like someone is squatting the name names "GPG" and "GnuPG"
> (and the other subprojects). Also see https://github.com/gpg. They are
> even using the project's icons.

This guy, Jeroen Ooms, at UC berkeley seems to fork vand group arious
repositories. Maybe he has "just" not understood unwritten naming
conventions for private repositories...

Could be helpful to talk to him and stay tuned for any activities which
could undemine the authority of mainline GnuPG.

Regards,
Holger

> Unsuspecting users don't really have a way to determine the projects
> are not authorized. They don't show as a fork (in the upper left hand
> corner). Rather they appear to be an authorized source.

It says "unofficial gnupg mirrors", right there in the title from your link?
I agree it could be made more obvious (e.g. in repo descriptions), but it's not
like he's hiding the fact.

The decentralized nature of git will always lead to mirrors on pages like
github, and if it wasn't this guy mirroring in a systematic manner you'd still
have people pushing the repository or derivatives all over as part of their
normal workflows. At least this way they stay up to date.

Perhaps a friendly note asking to make a better mention of the fact the repos
are mirrors and a more visible pointer to upstream would be a good idea.

- V

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu, Apr 2, 2020 at 3:42 AM Vincent Breitmoser <look@my.amazin.horse> wrote:
>
> > Unsuspecting users don't really have a way to determine the projects
> > are not authorized. They don't show as a fork (in the upper left hand
> > corner). Rather they appear to be an authorized source.
>
> It says "unofficial gnupg mirrors", right there in the title from your link?
> I agree it could be made more obvious (e.g. in repo descriptions), but it's not
> like he's hiding the fact.

Try this out: https://github.com/gpg/gnupg. There's no indication.

I made a pull request against it thinking the gnupg dev's would handle it.

It fooled me and about 280 others.

Why in the world would someone squat an organization's name?

If it was jerome/gnupg I would have moved on.

Why has GnuPG not taken action? What is the purpose of allowing people
to make the mistake?

Jeff

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu, 2 Apr 2020 04:26, Jeffrey Walton said:

> Why has GnuPG not taken action? What is the purpose of allowing people
> to make the mistake?

It is free software and thus everyone may take, modify and publish
copies. IIRC, the Jeroen once contacted me and he agreed to add a note
stating that it is not the official/primary repo.

For 25 years or so new projects register a .org domain and that should
be the first try to locate development versions. In case of GnuPG, you
can also look into the AUTHORS file (or Debian's copyright file) to
figure out where the main developers put there work.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel
<gnupg-devel@gnupg.org> wrote:
>
> On Thu, 2 Apr 2020 04:26, Jeffrey Walton said:
>
> > Why has GnuPG not taken action? What is the purpose of allowing people
> > to make the mistake?
>
> It is free software and thus everyone may take, modify and publish
> copies. IIRC, the Jeroen once contacted me and he agreed to add a note
> stating that it is not the official/primary repo.
>
> For 25 years or so new projects register a .org domain and that should
> be the first try to locate development versions. In case of GnuPG, you
> can also look into the AUTHORS file (or Debian's copyright file) to
> figure out where the main developers put there work.

Indeed, we use this git mirror (not fork) to make the GnuPG sources
more accessible for ourselves and other Github users. Github has nice
tools for browsing, searching, and tracking development which are not
available from the GnuPG git server.

The code is not modified in any way, so it is really no different than
mirroring the tarballs. This is all in the scope of the GNU license. I
find it strange to hear OP talk about "authorized source" as if it
concerns his personal proprietary software and copies should be taken
down. This is merely a mirror to increase the visibility and
accessibility of GnuPG source code for the large number of Github
users and the larger public. There are many other open source git
organizations that develop in a self-hosted git server but still host
a mirror on Github: https://github.com/freedesktop

We make it obvious in the description of the Github account that this
is an unofficial mirror. In case people somehow miss that and send a
pull request, we reply that this is a mirror and point them to the
official sources:
https://github.com/gpg/gnupg/pulls?q=is%3Apr+is%3Aclosed

If somebody within the GnuPG team wants to take over the mirroring
process, I am happy to transfer ownership of the Github account, but
last time I asked, nobody was interested.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

"Authorized" in the context means "maintained by somebody trusted (by the community) to introduce no malicious changes, and faithfully reproduce the original/upstream code".

This concern exists for all the software, security-related and not, open source and proprietary. But for some, like GnuPG, because of their role in the community, it matters more.

It's good to know that this is the "official" GitHub mirror, because I wouldn't want to download "doctored" source, and don't have resources to scrutinize all the source sufficiently to detect such changes.


> On Apr 4, 2020, at 13:33, Jeroen Ooms <jeroen@berkeley.edu> wrote:
>
> ?On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel
> <gnupg-devel@gnupg.org> wrote:
>>
>> On Thu, 2 Apr 2020 04:26, Jeffrey Walton said:
>>
>>> Why has GnuPG not taken action? What is the purpose of allowing people
>>> to make the mistake?
>>
>> It is free software and thus everyone may take, modify and publish
>> copies. IIRC, the Jeroen once contacted me and he agreed to add a note
>> stating that it is not the official/primary repo.
>>
>> For 25 years or so new projects register a .org domain and that should
>> be the first try to locate development versions. In case of GnuPG, you
>> can also look into the AUTHORS file (or Debian's copyright file) to
>> figure out where the main developers put there work.
>
> Indeed, we use this git mirror (not fork) to make the GnuPG sources
> more accessible for ourselves and other Github users. Github has nice
> tools for browsing, searching, and tracking development which are not
> available from the GnuPG git server.
>
> The code is not modified in any way, so it is really no different than
> mirroring the tarballs. This is all in the scope of the GNU license. I
> find it strange to hear OP talk about "authorized source" as if it
> concerns his personal proprietary software and copies should be taken
> down. This is merely a mirror to increase the visibility and
> accessibility of GnuPG source code for the large number of Github
> users and the larger public. There are many other open source git
> organizations that develop in a self-hosted git server but still host
> a mirror on Github: https://github.com/freedesktop
>
> We make it obvious in the description of the Github account that this
> is an unofficial mirror. In case people somehow miss that and send a
> pull request, we reply that this is a mirror and point them to the
> official sources:
> https://github.com/gpg/gnupg/pulls?q=is%3Apr+is%3Aclosed
>
> If somebody within the GnuPG team wants to take over the mirroring
> process, I am happy to transfer ownership of the Github account, but
> last time I asked, nobody was interested.
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Dear Jeroen,

Am 04.04.20 um 18:03 schrieb Jeroen Ooms:
> On Thu, Apr 2, 2020 at 9:40 PM Werner Koch via Gnupg-devel
> <gnupg-devel@gnupg.org> wrote:
>> On Thu, 2 Apr 2020 04:26, Jeffrey Walton said:
>>> Why has GnuPG not taken action? What is the purpose of allowing people
>>> to make the mistake?
>> It is free software and thus everyone may take, modify and publish
>> copies. IIRC, the Jeroen once contacted me and he agreed to add a note
>> stating that it is not the official/primary repo.
>> [...]
> Indeed, we use this git mirror (not fork) to make the GnuPG sources
> more accessible for ourselves and other Github users. Github has nice
> tools for browsing, searching, and tracking development which are not
> available from the GnuPG git server.

thanks for the clarification. I have been erroneously calssifying you
mirror as a fork. Actually, I believe that for security software the
existence of (unofficial) mirrors is kind of a double-sided sword. On
the one hand is is beneficial avoid having only a single source of
distribution as a single point of failure. On the other hand there is a
risk of untrusted changes making their way into any replica of the
official sources.

A pure mirror, that is an exact copy of the master, is no problem,
ideally it would publish a proof of being identical to the master.

Any forks, means copies which can include different code, are no problem
if, by effective measures, precautions are made to avoid any
disambiguation from the master. A link to the master copy is minimum.
Ideally, and I guess enforcement is limited, except by trade mark laws
(as in Apache license), any fork with deviating code should include also
a warning in huge friendly letters, that this code in not to be used in
any critical environment.

In your case, there is the little caveat of github.com/gpg being a
location where people from this century would expect the one and only
source of truth. Which remains true as long as your mirror is still a
mirror. The next step I foresee is developers attempting to contribute
to the official source by forking from your mirror and creating github
pull requests, rather than sticking to the rules of the project...you
see where this could lead to, dont you?

Maybe you want to add an additional hint, that you repo is a read-only
mirror and contributions MUST be directed through the official ways in
order to go upstream, as this is security relevant software. What do you
think?

Best Regards
Holger

On Sat, 4 Apr 2020 18:52, Uri Blumenthal said:

> It's good to know that this is the "official" GitHub mirror, because I

Given that Git is a decentralized VCS, it is not easy to say what is
official (i.e. from the usual upstream authors) and is non-official.
There is an easy solution however: Most of us sign our commits and all
release tags are also signed with the release key. And well there are
official release tarballs; we consider everything take directly from a a
repo as a development version.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.