Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Sebastiaan Couwenberg
Package: wnpp
Severity: wishlist
Owner: Bas Couwenberg <[hidden email]>

* Package name    : josm-installer
  Version         : 0.0.1+svn16006
  Upstream Author : Bas Couwenberg <[hidden email]>
* URL             : https://salsa.debian.org/debian-gis-team/josm-installer
* License         : GPL-2+
  Programming Lang: Python
  Description     : Editor for OpenStreetMap (installer)

 JOSM is an editor for OpenStreetMap (OSM) written in Java.
 The current version supports stand alone GPX tracks, GPX track data
 from OSM database and existing nodes, line segments and metadata tags
 from the OSM database.
 .
 OpenStreetMap is a project aimed squarely at creating and providing
 free geographic data such as street maps to anyone who wants them.
 The project was started because most maps you think of as free actually
 have legal or technical restrictions on their use, holding back people
 from using them in creative, productive or unexpected ways.
 .
 This package provides a script to install the upstream JARs.


The upstream source tree no longer includes all its dependencies,
this makes it too cumbersome to provide backports of JOSM, as that also
requires backporting all dependencies which will break other reverse
dependencies in stable.

This package provides a script to download the pre-built JAR from upstream
and the application metadata for integration in desktop environments.


The package will be maintained with in the Debian GIS team where it will
eventually replace the josm package.

Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Lance Harrison
You're a fucking low life, thinking that you are a developer of an operating system when in reality you created jack shit and just a part of a group of low lives that packages other peoples software and think they have created an operating system.
 
 
Sent: Thursday, March 12, 2020 at 11:51 PM
From: "Bas Couwenberg" <[hidden email]>
To: "Debian Bug Tracking System" <[hidden email]>
Subject: Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
Package: wnpp
Severity: wishlist
Owner: Bas Couwenberg <[hidden email]>

* Package name : josm-installer
Version : 0.0.1+svn16006
Upstream Author : Bas Couwenberg <[hidden email]>
* URL : https://salsa.debian.org/debian-gis-team/josm-installer
* License : GPL-2+
Programming Lang: Python
Description : Editor for OpenStreetMap (installer)

JOSM is an editor for OpenStreetMap (OSM) written in Java.
The current version supports stand alone GPX tracks, GPX track data
from OSM database and existing nodes, line segments and metadata tags
from the OSM database.
.
OpenStreetMap is a project aimed squarely at creating and providing
free geographic data such as street maps to anyone who wants them.
The project was started because most maps you think of as free actually
have legal or technical restrictions on their use, holding back people
from using them in creative, productive or unexpected ways.
.
This package provides a script to install the upstream JARs.


The upstream source tree no longer includes all its dependencies,
this makes it too cumbersome to provide backports of JOSM, as that also
requires backporting all dependencies which will break other reverse
dependencies in stable.

This package provides a script to download the pre-built JAR from upstream
and the application metadata for integration in desktop environments.


The package will be maintained with in the Debian GIS team where it will
eventually replace the josm package.
 
Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

John Scott-3
In reply to this post by Sebastiaan Couwenberg
> The package will be maintained with in the Debian GIS team where it will
> eventually replace the josm package.

Because this package will need to go in contrib or non-free, does this mean
JOSM will be removed from main? I think that is a substantial trade-off to
provide new backports. Could they both be maintained?

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Sebastiaan Couwenberg
On 3/19/20 6:05 PM, John Scott wrote:
>> The package will be maintained with in the Debian GIS team where it will
>> eventually replace the josm package.
>
> Because this package will need to go in contrib or non-free,

It's going to contrib.

> does this mean
> JOSM will be removed from main? I think that is a substantial trade-off to
> provide new backports. Could they both be maintained?

josm will be removed from main if it cannot be updated to newer tested
snapshots, keeping it in the archive at an increasingly outdated
revision makes no sense.

Because the OSM ecosystem is ever changing backports of the tested
snapshots are essential for an OSM editor in Debian.

That's why this package was created, to make it possible for users to
have a recent OSM editor available in Debian.

Since this package was created there has been quite a bit of work by the
JOSM developers to accommodate package in Debian, which may allow us to
keep the josm package mostly as-is, using the source JAR to get the code
for the dependencies. If that works out, this ITP will be closed and the
FTP masters will be asked to REJECT the upload of josm-installer. If it
doesn't work out, josm-installer will become the best way to have a
recent JOSM on Debian.

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Sebastiaan Couwenberg
On 3/19/20 6:29 PM, Sebastiaan Couwenberg wrote:

> On 3/19/20 6:05 PM, John Scott wrote:
>> does this mean
>> JOSM will be removed from main? I think that is a substantial trade-off to
>> provide new backports. Could they both be maintained?
>
> josm will be removed from main if it cannot be updated to newer tested
> snapshots, keeping it in the archive at an increasingly outdated
> revision makes no sense.
>
> Because the OSM ecosystem is ever changing backports of the tested
> snapshots are essential for an OSM editor in Debian.
>
> That's why this package was created, to make it possible for users to
> have a recent OSM editor available in Debian.
>
> Since this package was created there has been quite a bit of work by the
> JOSM developers to accommodate package in Debian, which may allow us to
> keep the josm package mostly as-is, using the source JAR to get the code
> for the dependencies. If that works out, this ITP will be closed and the
> FTP masters will be asked to REJECT the upload of josm-installer. If it
> doesn't work out, josm-installer will become the best way to have a
> recent JOSM on Debian.

If the source JARs work out to keep josm in Debian, we could also keep
this package as an alternative. By adding an local override for the
josm-installer systemd service it's easy to have it automatically update
the latest builds of JOSM instead of tracking the tested builds we do
for the josm package.

If people want to have both, they should get involved in the maintenance
of the packages.

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Christoph Anton Mitterer-2
In reply to this post by Sebastiaan Couwenberg
Hey.

> The package will be maintained with in the Debian GIS team where
> it will eventually replace the josm package.

I'm afraid but this is a really unfortunate idea.


Downloader packages - and that's what this is - are generally a bad
idea.

They circumvent package management, any tools building upon package
management (from simply things like apt-listchanges to advanced things
like Icinga/Nagios checks for package upgrades) and any reasonable
security support.

I know only few such downloader tools which do it really right, i.e. in
a secure way.
Just checking for some signatures isn't typically enough, as it allows
for things like downgrade attacks.

Some downloader tools even use the upstream keys for verification,
which may sound good at a first glance, but would effectively allow an
hostile (or hacked) upstream to selectively send hacked versions of the
code/binaries to selected users only (thereby making it even much
harder to ever detect, as when *all* users would have to bee


Security wise (and generally), it's probably safest to hardcode the
valid hashsums for the downloaded files within the downloader package
and really upgrade the package everytime a new version of code/binaries
comes out.
This would not mean a general circumvention of the distributions
package management tool.


I personally can only think of very few cases, where a downloader
package is justified (like when legal reasons prevent shipping
something, e.g. as with ttf-mscorefonts-installer).
For most other things one should wonder whether its not better to
simply drop a package from the distro if it cannot be actually
maintained within that distro.

After all, Linux isn't the Windows world, where each and every software
brings it's own (often crappy) installers, and where this causes
gazillions of problems and security issues.


Cheers,
Chris.

Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Sebastiaan Couwenberg
On 4/9/20 4:37 AM, Christoph Anton Mitterer wrote:
>> The package will be maintained with in the Debian GIS team where
>> it will eventually replace the josm package.
>
> I'm afraid but this is a really unfortunate idea.

Don't be:

 https://lists.debian.org/debian-gis/2020/04/msg00000.html

> Downloader packages - and that's what this is - are generally a bad
> idea.

You don't have to use it.

It's no different from users downloading the JAR themselves, the package
just integrates it in the desktop environment and schedules periodic
downloads.

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Christoph Anton Mitterer-2
On Thu, 2020-04-09 at 05:45 +0200, Sebastiaan Couwenberg wrote:
> On 4/9/20 4:37 AM, Christoph Anton Mitterer wrote:
> > > The package will be maintained with in the Debian GIS team where
> > > it will eventually replace the josm package.
> >
> > I'm afraid but this is a really unfortunate idea.
>
> Don't be:
>
>  https://lists.debian.org/debian-gis/2020/04/msg00000.html

Ah, so AFAIU josm is not intended to be kept... that's good news.
Thanks for your effort :-)



> It's no different from users downloading the JAR themselves, the
> package
> just integrates it in the desktop environment and schedules periodic
> downloads.


FYI:
I've just had a short glance on the downloader and it seems it does no
verification at all...

The only protection is https, which, given how the TLS-CA-ecosystem
works is mostly identical to no protection (there are around 150 root
CAs in the usual bundles, many of them highly questionable from
totalitarian countries or that have been caught already several times
in "accidentally" forging certs... and there are probably thousands of
intermediate CAs... all which can basically sign for everything).


I think there should be perhaps a big fat warning about this in the
package, or eve better, some hardcoded hashsums of the jar, which is
then verified upon download.


Cheers,
Chris.

Reply | Threaded
Open this post in threaded view
|

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

Sebastiaan Couwenberg
On 4/10/20 6:20 AM, Christoph Anton Mitterer wrote:

> On Thu, 2020-04-09 at 05:45 +0200, Sebastiaan Couwenberg wrote:
>> On 4/9/20 4:37 AM, Christoph Anton Mitterer wrote:
>> It's no different from users downloading the JAR themselves, the
>> package
>> just integrates it in the desktop environment and schedules periodic
>> downloads.
>
> FYI:
> I've just had a short glance on the downloader and it seems it does no
> verification at all...

The JRE verifies the JAR signature.

> The only protection is https, which, given how the TLS-CA-ecosystem
> works is mostly identical to no protection (there are around 150 root
> CAs in the usual bundles, many of them highly questionable from
> totalitarian countries or that have been caught already several times
> in "accidentally" forging certs... and there are probably thousands of
> intermediate CAs... all which can basically sign for everything).

Upstream doesn't provide asc/md5/sha signatures like Maven does, I did
ask for them but upstream considers the JAR signature sufficient.

> I think there should be perhaps a big fat warning about this in the
> package, or eve better, some hardcoded hashsums of the jar, which is
> then verified upon download.

I looked into how flashplugin-nonfree was implemented, but that's not
something to adopt for josm-installer, I don't have the bandwidth for that.

josm-installer is already in contrib, that's warning enough. The package
name implies that it doesn't provide the executable itself, any user who
like you is uncomfortable by that can stay clear of it. If we'll have to
remove the josm package in the future because it becomes impossible to
keep for some reason, the josm-package will remain for users who don't
share your concern, e.g. because they already download the JAR from the
JOSM project themselves and appreciate the improved integration. Users
who consider an installer unacceptable will have to find another way to
keep using JOSM on their Debian systems.

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1