Subject: Re: adding gpg to src/gnu/dist
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Daniel Carosone <dan@geek.com.au>
List: tech-security
Date: 05/13/2004 12:02:38
--jo46wx5DSA4a/gWG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 12, 2004 at 09:02:32PM -0400, Thor Lancelot Simon wrote:
> "Building up a web of trust" is not all that useful when what users want=
=20
> is to verify, for instance, that release binaries (or, in most contexts I=
=20
> can think of, package binaries) came from an entity vouched for by The=20
> NetBSD Foundation.  That's the classic hierarchical trust model; it is th=
e=20
> classic application for certificate-based signatures, which OpenSSL does=
=20
> just fine.

Agreed. I've PoC'd smime file siging a number of times for different
purposes using openssl.

> I am appalled by many things about GPG, not least of which are its size,
> its extensive dependencies (which include Perl),=20

Perl is there for only one silly and largely useless script. This
dependency is bogus, or at best should be optional, in pkgsrc.
On non-netbsd platforms it pulls in a number of other dependencies,
but not on NetBSD.

> and its horrendous user
> interface which betrays an utter lack of understanding of the key role
> that usability plays in the actual secure use of security software. =20

Wait, are we talking about perl or openssl(1)? :)

> When we already have a program in the base system that can do the
> job that it is being proposed that we use GPG for, and, even better,
> that program is merely a command-line interface to a library which
> could easily be directly linked into the appropriate system/package
> tools, I am very, very strongly opposed to importing GPG into the
> base system for this purpose.

I agree, and the latter point is the key.  The "user interface" for
smime-based file signing can and should be hidden with some scripts,
or within the pkg_* tools, or etc as apprpriate for the task.

--
Dan.
--jo46wx5DSA4a/gWG
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAotc+EAVxvV4N66cRApW3AKCW3uR4E8spkC61ahg0lGYRvKZpPACgkMO4
l+4hylA1WX2V/wB95zSWL1s=
=rrDR
-----END PGP SIGNATURE-----

--jo46wx5DSA4a/gWG--