Re: RFC: gnupg
Zed Pobre <firstname.lastname@example.org> writes:
> On 5 Jul 1998, James Troup wrote:
> > Well, duh. That is *not* a show stopper. The whole point of
> > switching to GNUPG is to get away from the forced use of non-free
> > programs, any program which supports RSA and IDEA is automatically
> > non-free.
> Okay, you resign a few hundred megs of packages.
We are switching to FHS; all packages have to be uploaded again
> I'm seriously under-impressed by anyone so thin-skinned that they
> can't tell the difference between someone who's going to try to
> compromise Debian security and someone pointing out a possible
> security hole.
Your ``possible security hole'' is based on me or Igor mucking up in
highly improbable ways. Such ``possible security holes'' exist every
day, PGP or GNUPG. 110% Straw man.
> Which is identical to extracting a key and uuencoding it, except
> that your way you may run into problems with PGP barfing on the GPG
> headers (PGP tends to not like dashes).
Rubbish, try it and see. It works fine.
> So here's how an attack could take place.
> Obviously, this requires that the person handling the key exchange
> make the error of doing this in a place where the intruder could
> overwrite the unwrapped key before it was added to a keyring, so
> it's not very likely in terms of a real attack on Debian.
And in fact has SFA to do with this discussion, since it's a
``security hole'' every time we add a PGP key to the keyring.
> > ``cutting off'' anyone, except you, who are doing a fine job of
> > spreading large amounts of FUD.
> The tone of the entire thread, both here and the last time I saw
> it come up on -policy, was the overall replacement of pgp with gpg
> as a signing tool in the Debian community.
Complete and utter rubbish. Don't confuse your delusions with the
actual intentions of the people putting the actual work into the
> The conversion to gpg needs to be accompanied by a rewrite of
> documentation, and a number of scripts to let things happen
> automatically. The only time I've seen these things mentioned is as
> an afterthought by people that as far as I know are not planning on
> becoming directly involved in the conversion.
More complete and utter rubbish; I'm already involved in kerying
maintenance, new maintainer processing, dpkg non-maintenance and am in
the process of becoming involved in ftp site maintenance. That is
*all* the affected areas, so I can *and will* (if no one else does) do
the actual work (I already started in fact). And these things are
*not* an afterthought; go and read debian-policy and stop lieing.
Please come back when you have something valid to say.
[ Oh, and please stop Ccing me, I read debian-devel, I don't need your
10kb mails twice ]
~Yawn And Walk North~ http://yawn.nocrew.org/
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org