Re: RFC: gnupg

To: debian-devel@lists.debian.org
Subject: Re: RFC: gnupg
From: James Troup <james@nocrew.org>
Date: 06 Jul 1998 00:17:58 +0100
Message-id: <[🔎] dmmemvznazd.fsf@dcsun4.comp.brad.ac.uk>
In-reply-to: Zed Pobre's message of "Sun, 5 Jul 1998 18:01:15 -0500 (CDT)"
References: <[🔎] Pine.LNX.3.96.980705170010.9156A-100000@moebius.interdestination.net>

Zed Pobre <zed@moebius.interdestination.net> writes:

> On 5 Jul 1998, James Troup wrote:
> 
> > Well, duh.  That is *not* a show stopper.  The whole point of
> > switching to GNUPG is to get away from the forced use of non-free
> > programs, any program which supports RSA and IDEA is automatically
> > non-free.
> 
>     Okay, you resign a few hundred megs of packages.

We are switching to FHS; all packages have to be uploaded again
anyway.  Duh.

> I'm seriously under-impressed by anyone so thin-skinned that they
> can't tell the difference between someone who's going to try to
> compromise Debian security and someone pointing out a possible
> security hole.

Your ``possible security hole'' is based on me or Igor mucking up in
highly improbable ways.  Such ``possible security holes'' exist every
day, PGP or GNUPG.  110% Straw man.

>     Which is identical to extracting a key and uuencoding it, except
> that your way you may run into problems with PGP barfing on the GPG
> headers (PGP tends to not like dashes).

Rubbish, try it and see.  It works fine.

> So here's how an attack could take place.

[...]

>     Obviously, this requires that the person handling the key exchange
> make the error of doing this in a place where the intruder could
> overwrite the unwrapped key before it was added to a keyring, so
> it's not very likely in terms of a real attack on Debian.

And in fact has SFA to do with this discussion, since it's a
``security hole'' every time we add a PGP key to the keyring.

> > ``cutting off'' anyone, except you, who are doing a fine job of
> > spreading large amounts of FUD.
> 
>     The tone of the entire thread, both here and the last time I saw
> it come up on -policy, was the overall replacement of pgp with gpg
> as a signing tool in the Debian community.

Complete and utter rubbish.  Don't confuse your delusions with the
actual intentions of the people putting the actual work into the
implementation.

> The conversion to gpg needs to be accompanied by a rewrite of
> documentation, and a number of scripts to let things happen
> automatically.  The only time I've seen these things mentioned is as
> an afterthought by people that as far as I know are not planning on
> becoming directly involved in the conversion.

More complete and utter rubbish; I'm already involved in kerying
maintenance, new maintainer processing, dpkg non-maintenance and am in
the process of becoming involved in ftp site maintenance.  That is
*all* the affected areas, so I can *and will* (if no one else does) do
the actual work (I already started in fact). And these things are
*not* an afterthought; go and read debian-policy and stop lieing.

Please come back when you have something valid to say.

[ Oh, and please stop Ccing me, I read debian-devel, I don't need your
 10kb mails twice ]

-- 
James
~Yawn And Walk North~                                  http://yawn.nocrew.org/

--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: RFC: gnupg
  - From: Zed Pobre <zed@moebius.interdestination.net>

References:
- Re: RFC: gnupg
  - From: Zed Pobre <zed@moebius.interdestination.net>

Prev by Date: Re: RFC: gnupg
Next by Date: Re: RFC: gnupg
Previous by thread: Re: RFC: gnupg
Next by thread: Re: RFC: gnupg
Index(es):
- Date
- Thread