On Monday, July 16 2018, Dashamir Hoxha wrote: > On Mon, Jul 16, 2018 at 6:53 AM Sergio Durigan Junior <sergiodj@debian.org> > wrote: > >> Hello, >> >> Thank you for your interest in Debian. >> >> From the website (which unfortunately uses github): >> >> pw was written by Dashamir Hoxha (dashohoxha@gmail.com). The code is >> on GitHub at https://github.com/dashohoxha/pw. pw started as a fork of >> pass (http://www.passwordstore.org/), written by Jason A. Donenfeld >> (Jason@zx2c4.com). >> >> pass is already packaged, works perfectly (I use it myself), has an >> active upstream, and doesn't use github (which IMO is a feature >> nowadays). What is the advantage of having "pw" in the archive? > > > A couple of years ago I made some suggestions for improvement to 'pass'. > I proposed to use an encrypted archive for the whole directory of passwords, > instead of encrypting only the passwords, because this way the structure of > the passwords is hidden and protected as well, besides the passwords > themselves. > > This looks like a reasonable thing, however it conflicts with some other > feature of 'pass', namely the ability to share different branches of > passwords > with different people. Since 'pass' is widely used, there is no way to > remove > an existing feature from it, since some of the users may already depend on > it. Why would you need to remove a feature from it? Why not add a new "mode" or option? > So, my proposal could not be technically accepted and the only way was > to start a fork, which I did. Later I continued to add more features which > make it different from 'pass'. For example having a GPG key is a must > for using 'pass', however in 'pw' it is only an option, one can also use > a simple password for encrypting the archive. In my opinion this makes > 'pw' easier to get started, compared to 'pass', since we all know that > managing GPG keys is not an easy task, especially for beginners. I'm not a security expert, but using a "simple password" for encrypting the archive instead of a 4096 RSA key seems like a bad thing to do, even if done in the name of "ease of use". But as I said, I'm not an expert in this area (and I confess I haven't spent too much time thinking about the implications). > Another difference is that in 'pass' you can share your passwords with > other people only through a central git repository. In 'pw' you need to > synchronize the encrypted archives with other people, and this can be > done with 'scp' or 'rsync' or any other means. First of all, git is not centralized; it's companies like github that made it seem like a centralized thing. If you can use scp, then you can also clone a git repository via SSH. And as for rsync, one can easily mirror the local repository by rsync'ing the ~/.password-store/ directory. > So, the main target users of 'pass' are big enterprises, or organizations, > or corporations. On the other hand 'pw' is more suitable for individuals > or small groups. What?! I completely disagree with this statement. I don't know how you reached the conclusion that 'pass' has "big enterprises, or organizations, or corporations". I use pass myself as an individual, and I know several other *individuals* who also use it. The fact that it requires GPG is *not* an anti-feature for individuals, as you seem to imply. > I do not claim that 'pw' is better than 'pass', but at least they are > different, > because they have different features. So, it makes sense to have both > of them in the repository, and let the users decide which one is more > suitable > for their needs. They're indeed different, but I feel reticent in accepting 'pw' because IMO it promotes less security, not more. > References: > - https://lists.zx2c4.com/pipermail/password-store/2016-January/001887.html > - https://lists.zx2c4.com/pipermail/password-store/2016-January/001902.html > - https://lists.zx2c4.com/pipermail/password-store/2016-January/001928.html > > I don't think that the place of hosting adds or removes anything to the > merits > of an application. However 'pw' is a free software and it is hosted on a > site > that so far has offered great service, and is friendly and not hostile to > free software > (at least not yet). Anybody who cares about it is free to make a mirror to > their > preferred or trusted hosting service. I do this often for the programs or > tools > that I need to use on my applications, just in case that they suddenly > disappear > from the face of the Earth. If I had hosted 'pw' on my own personal server, > this would not make it more safe, or secure, or reliable. My point is that > the > place of hosting does not matter. Oh, but it does. Maybe not technically, but it does matter philosophically. Now, this is my personal opinion, of course. However, saying that github "is friendly to free software" is pushing a little too far. github uses proprietary technologies both in the backend and in the frontend. It uses proprietary JavaScript. It promotes the mentality that git is centralized. So I find it a bit hard to say that it "is friendly to free software". Anyway, again: this e-mail is my personal position. If some other DD thinks 'pw' is a nice addition to our archives, that's fine. Cheers, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible http://sergiodj.net/
Attachment:
signature.asc
Description: PGP signature