On Mon, Dec 10, 2012 at 10:20:08PM -0500, Nick Holland wrote:
| On 12/10/12 21:45, Maximo Pech wrote:
| ...
| > Well, with the information you have given me so far, I think the answer is
| > something like "nobody has written it because we have more important things
| > to do and nobody believes there is a real need for that". Am I right?
| >
|
| I have lived a long time and never used PGP, GNUpg, NetPGP...whatever on
| my own systems. Never had a reason to, never had the desire to. Got a
| task at work where this may be requested, and in that case, it's because
| they are "doing it wrong", trying to make e-mail into a secure
| communications channel. In my mind, e-mail is a non-secure
| communications channel, and I'm not fond of trying to bolt-on gadgets to
| make non-secure things look secure.
There's a fallacy here. IP is a non-secure communications channel.
Using tools like IPsec or SSH can secure your communications over such
a non-secure channel. There's nothing wrong with bolting that on
(well, it could be argued that ipsec is a layering violation, but
that's another subject entirely).
There's a use for tools like pgp - it solves secure communications in
a different way than ipsec/ssh do, for when your requirements are
different.
Also, pgp can be used for more than just e-mail (much like ssh can be
used for more than just 'secure remote logins'; don't dismiss a
solution because you've not run into a problem that's fixed by it yet.
| You seem to have a problem you expect all of us to have that requires a
| PGP-equivalent to solve. Apparently, we don't all share this problem.
| You have not told us what this problem is you are trying to solve...but
| in general, naming the tool rather than naming the problem you are
| attempting to solve is bad process.
Well, in all honesty, I think the problem PGP solves is quite well
known and understood. If ten years ago people asked 'is there SMP in
OpenBSD', you wouldn't have asked the same question, would you ?
| You are coming in as if you are trying to sound high-and-mighty and
| pointing out what fools we are for not having (yet again) reinvented
| your favorite tool in base. You have yet to make a case for:
| 1) why such a tool should be in base, when obviously no developers seem
| to think it should be.
| 2) why such a tool should be reinvented Yet Again, when there are
| multiple varying degrees of free implementations out there already.
| 3) why you care. What are you doing that could possibly be improved
| drastically by a BSD-licensed PGP implementation in base? In fact, your
| question appears to misunderstand the /reason/ we would want a BSD
| licensed anything in base -- it isn't over a "my license is better than
| your license" pissing match, it's about what you could DO with that.
| The GNU license on GNUgp puts limitations on your ability to modify and
| redistribute it in a commercial product. Being that PGP is sorta a
| standardized product...do you want people distributing modified versions
| of PGP? anyone who has reason to do that will find plenty of crypto
| libraries and tools in OpenBSD, they won't need to tear apart and
| rebuild a PGP tool.
These are (imo) far better arguments. Here are some possible answers:
3: OpenBSD solutions tend to be better implementations (ssh.com vs
OpenSSH)
2: See 3, but also so it can be put under a 'better' license allowing
for 1.
1: I'm not sure there are no developers that would like to see this in
base, but they could have other priorities; wanting something not
necessarily means having (time) to do the work. The important
difference is that you don't hear them.
| Yes, the OpenBSD project cares a lot about cryptography, but using it
| where it makes sense using as few tools as possible to do it right.
| Hey, why don't we have a crypto-ls? It's really important! What if
| someone is looking over your shoulder when you do an 'ls'?
Now you're just being facetious ;)
Paul 'WEiRD' de Weerd
(who's using gnupg now but wouldn't mind something better (which, in
the case of gnupg, can't be very hard) in either base or ports)
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
