Bug#466669: Squirrelmail plugin for GPG
On 04/04/2011 08:43 PM, Jan Hauke Rahm wrote:
> Hi Thomas,
>
> On Sat, Apr 02, 2011 at 06:03:37PM +0800, Thomas Goirand wrote:
>> I saw that you maintained the squirrelmail-spam-button plugin, and I was
>> wondering if you would also like to maintain the squirrelmail-gpg
>> plugin. I did the packaging, but I don't feel like maintaining yet
>> another package (I have quite a lot under my responsibility). If you do,
>> there my diff.gz is attached. I paid attention to keep the same
>> packaging style you used for your spam-button plugin.
>
> I even already have an ITP on squirrelmail-gpg (#466669). In that report
> you find the reasons why it's not in the archive (yet?). I have to admit
> though, there's one to add nowadays: upstream seems pretty much dead. :(
>
> If you have new information about it, feel free to tell me. I'd be happy
> to see that usable in Debian.
>
> Hauke
Excuse me to say it this way, but the excuse that it's dangerous to keep
a key on a server is a silly reason for not sending the package in main.
There's many more reasons you would like to use this package, for
example to CHECK for a signature. That doesn't require uploading or
generating a key on the server, yet there's no other way but to use this
package, if you use Squirrelmail.
Now, I agree that a warning could be added to the package description.
But it's the responsibility of an administrator to use (or not) keys on
the server side. As for me, I would do so only for small low-security
things, like signing my outgoing mail. Using a key for signing my
outgoing mail is better than not signing at all, and myself and 5 other
people are the only one using the server. How in this kind of case, is
this a security threat? Why would it be considered less safe, than,
let's say, browsing the web using Adobe flash player on my laptop?
The fact that upstream is dead is a much bigger concern though. Did you
try to ping him once more?
Thomas
Reply to: