[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsig (Was Re: Apt-get is insecure)

On Mon, Dec 17, 2001 at 04:54:24PM +0100, Wichert Akkerman wrote:
> Previously Jose Carlos Garcia Sogo wrote:
> >   I think that the interface you need is being used in GPGME, so if you
> >  do not want to use GPGME, it wuould serve you as a good example of the
> >  gpg interface. 
> 
> I'm afraid it's not a very useful example, figuring out how it works
> from gpgme source looks to be as hard as figuring it out from the gpg
> source directly.

The only difficult parts of gpgme is really getting the forking and
management of the file descriptors right.  Didn't you say that's trivial? :)

> >   But I think that you should use GPGME... IMHO it can fit very well
> >  your needs, and Marcus Brinkmann is working a lot on it.
> 
> I'm not going to use it for a couple of reasons, in random order:
> 
> * I can't seem to find any documentation for it in CVS

The functions are documented, and there is a script gdoc which can produce
documentation from it (as used in gnome, I think).  I have not figured that
part out yet, but it's something like "doc/gdoc gpgme/* > /tmp/gpgme.doc"
and "man -l /tmp/gpgme.doc" etc.  Improving documentation is important, but
the programs in tests/gpg are illustrative, and the little comments in the
source have to suffice for now, until I have time to improve them.

> * CVS doesn't compile

Thanks for your bug report.  Indeed it compiles correctly (at least here),
but there was a small linking problem in the non-gpgsm case.  I checked in a
fix for the small problem, if there is anything more, write to gnupg-devel
(where the chance I'll pick it up is higher than here).

> * it's major overkill and adds extra dependencies

gpgme does not have external dependencies.  If you want to run and use it,
you need gpg (or gpgsm) [it's not necessary to just build gpgme].  What type
of dependencies are you thinking of?

> * it doesn't have python bindings

Visit google.com ("gpgme python") and feel lucky
(http://astro.berkeley.edu/~johann/py_gpgme.tar.gz)

I can't judge how good this wrapper is, as I don't know Python.  But using
gpgme is not difficult, and if you are going to write something anyway, you
are better off improving the wrapper than writing your own thingie, and here
is why:

* gpgme will always be integrated with the latest and greatest in gpg
communication interfaces,  for example when gpg will have a server mode, you
get it automatically in gpgme, which will dramatically improve speed when
mass-signing files.
* gpgme will support other crypto protocols transparently, like CMS (this is
what the current CVS version does, in fact).
* More people will use it.

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de
Reply to: