Re: Package namespace grab

To: Johannes Schauer Marin Rodrigues <josch@debian.org>
Cc: ftpmaster@debian.org, deity@lists.debian.org
Subject: Re: Package namespace grab
From: Simon Josefsson <simon@josefsson.org>
Date: Thu, 18 Jan 2024 22:59:27 +0100
Message-id: <[🔎] 8734uu716o.fsf@kaka.sjd.se>
In-reply-to: <[🔎] 170561115218.2567051.7462695382480730305@localhost> (Johannes Schauer Marin Rodrigues's message of "Thu, 18 Jan 2024 21:52:32 +0100")
References: <CAENgTz0hL8VQnFhvsijnZY0nvrK1t5M0TE2KApm_+pkN55FXyw@mail.gmail.com> <e6jgyeozagwksrmoc5hbsp52jufxj63ixtmjpk5d5z27ibunkx@2mtu4eqb2yf3> <[🔎] 170561115218.2567051.7462695382480730305@localhost>

Johannes Schauer Marin Rodrigues <josch@debian.org> writes:

> Hi,
>
> Quoting David Kalnischkies (2024-01-18 19:30:00)
>> On Thu, Jan 18, 2024 at 02:35:40PM +0000, Aidan wrote:
>> > I am looking for a sponsor for my package "dpkg-buildenv":
>> 
>> Similar to my recent "veto" of apt-verify in #1059267, which was
>> subsequently ignored and pushed into the archive anyhow
>
> how did this happen? Both maintainers of apt spoke up against apt-verify
> getting uploaded with the name that it had. How did it make it into the archive
> after all?
>
> Simon, given the "vetos" you got from apt maintainers: Why did you still think
> it was a good idea to upload using the contended name?

Hi Johannes.  I didn't think that -- the package was uploaded before I
got those e-mails (check timeline if you don't believe me).

The package does not override APT's signature verification, so I don't
understand the rationale for a RC bug.  There are other packages in
Debian that rely on the apt::key::gpgvcommand hack already.  I am
commited to fix my package when/if there are changes to apt in unstable
wrt this interface.

I hope to find time to reply more in depth and to take part in improving
apt.  I believe an interface to hook into Release file verifications are
essential in today's world where the people who has access to Debian's
OpenPGP private keys have the ability to mount per-organization attacks
that apt will not detect.

/Simon

> Now I read in #1060181 that your tool parses configuration files in
> /usr/share/apt/verify.d and /etc/apt/verify.d. I hope that in contrast
> to the naming dispute, this choice of path was agreed upon with the
> apt maintainers?
>
> I hope that letting this package through NEW was just a slip-up by FTP masters?
> If not, what was the rationale to allow for a package to grab the namespace of
> such an important Debian utility?
>
> Now leaving the namespace grab aside:
>
> There are a bunch of very good technical arguments as as well that David and
> Julian made in #1059267 and which I do not need to repeat here. Julian already
> said in that bug that he'd immediately file an RC bug should that package get
> accepted.
>
> What went wrong here such that this package went through despite these reasons
> against it? Am I missing something?
>
> Thanks!
>
> cheers, josch
>

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Package namespace grab (was: Re: Bug#1061111: RFS: dpkg-buildenv/1.0.0 [ITP] -- Builds debian packages in a docker container.)
  - From: Johannes Schauer Marin Rodrigues <josch@debian.org>

Prev by Date: Package namespace grab (was: Re: Bug#1061111: RFS: dpkg-buildenv/1.0.0 [ITP] -- Builds debian packages in a docker container.)
Next by Date: Re: Bug#1057199: debian-policy: express more clearly that Conflicts to not reliably prevent concurrent unpacks
Previous by thread: Package namespace grab (was: Re: Bug#1061111: RFS: dpkg-buildenv/1.0.0 [ITP] -- Builds debian packages in a docker container.)
Next by thread: Re: Package namespace grab
Index(es):
- Date
- Thread