Hello, Please retain me in CC for all replies.
Everyone reading this most likely believes that PGP/GPG is a good thing; Many will advocate for its use-by-default for even unimportant correspondences, because privacy is a right. Meanwhile, everyday usage of encryption normalises it, which is important because the means to privacy should not a niche crypto enthusiast thing... On the surface, this means Proton Mail (free account) is great! And for general use, I feel like we should be supportive of them; however, I'm starting to wonder if we need to recommend against the use of Proton mail for Debian work for the following two reasons: 1. I've received a report that this provider is not appropriate for DM and DD use, because the key pair is stored on their servers. Ie: The applicant doesn't control the means to validating identity and authorship. 2. The Proton Mail web client automatically encrypts email to anyone who it has a key for. Usually, this would be a great thing, but it means that emailing 1234 at bugs.debian.org while CCing uploader_since_this_is_an_rc_...@debian.org will encrypt the email that is sent to the BTSe...which has the effect of making Debian development veiled in plain sight rather than "in the open". I see three outcomes: A) Continue to explain this to new contributors on a one-by-one basis. B) Advise against using Proton Mail for Debian work (where? our wiki?) C) Proton Mail begins to do something differently on their end, such as offering some features to Debian contributors that currently require a subscription. What do you think? Nicholas P.S. Also, at what point should we add them to CC and/or write them an open letter?
signature.asc
Description: PGP signature
