Hi, Frank. Thanks so much for the feedback. Responses below. On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT <email@example.com> wrote: > On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote: > > * Package name : xul-ext-monkeysphere > > Version : 0.1 > > The package description could mention that this is an > early/alpha/experimental release, to avoid deception (and encourage > feed-back) This extension definitely is in the early stages of development, but it is working for most cases now, and the developers are using it routinely. I'm also not sure how we would indicate that it's "alpha" or "experimental" in the Package: or Version: fields of the control file, which I think is what you're implying. Do you have a suggestion for that? > Wouldn't it be better to state that it's a replacement for X509 > certificates? (there is probably an even better wording, but I can't > find it). Monkeysphere is not actually a replacement for X.509, at least not in the sense of using Monkeysphere *or* X.509. The goal of Monkeysphere, broadly, is to expand the usage of OpenPGP for authentication on the net. In the context of the web, the Monkeysphere xul extension can be used to validate sites that have put their host keys on the OpenPGP Web of Trust (WOT). However, the extension actually currently relies upon sites providing an X.509 certificate through normal TLS channels. We provide a fallback validation check using the WOT when the standard X.509 validation fails. Our goal is not to disrupt standard X.509 validation if the user wishes to continue to rely upon it, but to instead provide an alternative to standard X.509 validation that uses OpenPGP and the WOT. I agree, though, that it is relevant to mention X.509 in the package description, at least in the sense of providing an alternative, but I feel like we're currently doing that with this bit: > > This extensions enables Monkeysphere checking of X.509 certificates > > from https hosts whose keys are in the web of trust. Does this not seem clear enough? Or is there something else that we're missing in the description to make things clearer? > The long description should mention that this package contains an > Iceweasel extensions, maybe: > "This package contains an Iceweasel/Firefox extensions to use > Monkeysphere for checking of X.509 certificates from https hosts > whose keys are in the web of trust." Good point. We'll fix that. > My 2 cents, Always appreciated! jamie.
Description: PGP signature