Re: RFC: gnupg

To: debian-devel@lists.debian.org
Subject: Re: RFC: gnupg
From: James Troup <james@nocrew.org>
Date: 05 Jul 1998 22:55:38 +0100
Message-id: <[🔎] dmmra00m085.fsf@dcsun4.comp.brad.ac.uk>
In-reply-to: Zed Pobre's message of "Sun, 5 Jul 1998 15:17:47 -0500 (CDT)"
References: <[🔎] Pine.LNX.3.96.980705142929.8460A-100000@moebius.interdestination.net>

[ This mail is extremely inflammatory in nature, but I am severely
  annoyed by a) the existence of this thread and b) the direction it's
  taking, c) this reply.  If you want to follow-up to this, read this,
  then go and read the debian-policy archives and *then* come back and
  reply. ]

Zed Pobre <zed@moebius.interdestination.net> writes:

> On Sun, 5 Jul 1998, Jules Bean wrote:
> 
> >I have just read the gnupg web pages, at
> >
> >http://www.d.shuttle.de/isil/crypt/gnupg.html
> >
> >and I don't see any showstoppers.  Would anyone with more experience using
> >gnupg, or cryptography in general, like to check and see if there are any.
> 
> There's at least one, and that is the absolute lack of support for
> the RSA and IDEA algorithms.

Well, duh.  That is *not* a show stopper.  The whole point of
switching to GNUPG is to get away from the forced use of non-free
programs, any program which supports RSA and IDEA is automatically
non-free.

> They're also the only way of communicating with PGP.

So what?  This is (or was, before it got dragged onto devel) about
changing what Debian uses as its verification tool.  We do not need
to communicate with PGP to do that.  It is not about what Debian
developers (or anyone else) uses to communicate with out people, it's
about what Debian developers are forced to use to verify their own
packages and what our users and developers are forced to use to verify
packages.  Use PGP and any other non-free crud all you want between
consenting adults, just don't force it on me.

> Hm.  Maybe I'll experiment with key spoofing during the confusion
> involved in getting all the new keys in...  Nah.

a) grow the hell up.  I'm _seriously_ under-impressed by so called
   developers who talk about trying to bypass our security protocols
   (such as they are) even in jest.

b) what confusion?  Current maintainers send their gpg keys in signed
   by their PGP key.  How much confusion or opportunity for
   exploitation do you see there?  Please enlighten me you /<-rad
   cracker d00d, you.

> > Let's get rid of this piece of non-free, then...
> 
> I'm not willing to cut off communication with the rest of the world,
> thank you,

Can we please chill the hell out here?  No one is talking about
``cutting off'' anyone, except you, who are doing a fine job of
spreading large amounts of FUD.

> Also be warned that if you decide to abandon pgp completely, you
> aren't going to be able to verify most of the signature that you run
> across.

No, you're wrong, you see, because we *are* going to abandon PGP
completely, and at some point in the future dinstall will simply
reject PGP-signed uploads, so *you* better get use to it.

[ ..................................................................]

Okay, I'll try and calm down, a bit, and explain this once again and
see if any of you FUD-merchants care to listen...

Debian currently uses PGP signatures to ensure packages in the
distribution come from a Debian developer.  This is
\litotes{problematic} because it forces our developers and worse our
users to use non-free software to verify the signatures on these
packages.  We've actually lost new maintainers who gave up when they
found they were going to be forced to use PGP to do Debian
development.

I don't use non-free software and I *don't* want it forced on me, but
the current situation does that.  And I know it's not just me who's
annoyed by this.  What makes this situation unbearable (as opposed to,
e.g. ssh where there is no free alternative (yet)), is that we now
have a tool which does everything we need to replace PGP *AS WE USE IT
IN DEBIAN RIGHT NOW*.  And _that_ is what the proposal is.  That we
replace PGP use in Debian with GNUPG use.  If you want to use PGP for
non-Debian stuff, *fine*, feel free (as much as the license allows
you[1]).  But there is **zero** reason why we should be indulging in
such rank hypocrisy of Debian, paragon of the free software community,
forcing its users and developers to use non-free software.  This is
worse even than the qmail situation.  At least we don't force our
users to use qmail.

Go read debian-policy for the exact details of what's been done and
what's going to be done.  But barring technical objections (and there
have been exactly 0), it *will* happen.  So please, if you want to
discuss the merits of gnupg for general purpose use, take it to
another thread or mailing list.  This is about the use of GNUPG for
debian development.

-- 
James
~Yawn And Walk North~                                  http://yawn.nocrew.org/

--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: RFC: gnupg
  - From: Zed Pobre <zed@moebius.interdestination.net>

References:
- Re: RFC: gnupg
  - From: Zed Pobre <zed@moebius.interdestination.net>

Prev by Date: Re: RFC: gnupg
Next by Date: 1 source - several packages/maintainers
Previous by thread: Re: RFC: gnupg
Next by thread: Re: RFC: gnupg
Index(es):
- Date
- Thread