Bug#792916: why exactly should this crap be in Debian?

[Holger Levsen <holger@layer-acht.org>]

Hi,

On Tue, Mar 15, 2016 at 08:38:50PM -0400, Antoine Beaupré wrote:
> By that standard, we should remove a *lot* of stuff from Debian.

yes, we probably should…

> And somehow, you propose we draw the line at... Keybase? Of all places,
> it seems like a weird detour to draw a line. I would totally ban
> Facebook and Google clients way before Keybase.

you have a point here.

(and my "argument" in favor is probably a weak one: lots of user demand
for those others…)
 
> Think of how much security you give up the second you fire up
> Chromium before you complain about issues in Keybase.

I haven't used Chromium since more than a year…
 
> Well, "encourages" is a big word. It asks you, and defaults to
> "yes". That is a small detail, that can be easily patched in Debian if
> we are so obstinate about it.

I actually like this idea, this detail, a lot.
 
> In other words, foot-shooting devices are plentiful in Debian. The
> alternative to Keybase, right now, is GPG, and is probably worse, by a
> few orders of magnitude, than keybase in terms of foot-shooting! I have
> seen people:
> 
>  * sign PGP keys after getting the fingerprints by email in the clear
>    without no other form of authentication
>  * lose revocation certificates
>  * loose their private GPG (and therefore access to their data and
>    previous communications)
>  * mistakenly revoke their keys by double-clicking on them (oops)
>  * mistakenly publish their private key material

point.
 
 
> All this with our so beloved GPG that we hold dear to our hearts. GPG is
> one of the worst usability nightmare in the history of crypto computing,
> yet we not only use it, but manage the whole Debian upload process and
> voting with it.
> 
> So please, foot-shooting is not an argument against new software coming
> into Debian. From what I can see, it's almost a philosophy to make
> crypto software so cryptic no one can actually use them properly without
> reading a 20 page manual.

Sadly I have to agree here too :/
 
> > Which actually can be seen as an endorsement for packaging this.
> 
> That, again, is quite a stretch. I have been very explicit in my blog
> and on Twitter that I do not endorse keybase. I don't understand why you
> misconstrue my intentions that way.

because that's what people always^woften do. (understand each other differently
than intended by the speaker…)
 
> I do not believe in Hell. :p

:-)

me neither, but I do use the figure of speech…
 
> > So I will speak up: please don't package this for Debian (as long as the
> > flaws are as they are now…), please close this RFP.
> 
> I wasn't planning on packaging this for Debian, for the record. This is
> an RFP, not an ITP, and not assigned to anyone.
> 
> I'm just the messenger.

I wasn't addressing you here, I should have probably made this more
clear.


Really thanks for your comments, they make a lot of sense to me! (Much
more than your blogpost alone.)

-- 
cheers,
	Holger