SOP migration (was Re: Reaction to potential PGP schism)

Hi! Daniel thanks for all your work on the OpenPGP working group, and on SOP! :) On Wed, 2023-12-20 at 22:16:28 -0500, Daniel Kahn Gillmor wrote: > # What Can Debian Do About This? > > I've attempted to chart one possible path out of part of this situation > by proposing a minimized, simplified

Re: Reaction to potential PGP schism

Hi Daniel, Quick backstory: I stayed away from hardware crypto for a long while since there were so many incompatibilities, partial support, or side patches to get basic things to work. Over time, it seems it got to a point where it's mainstream enough that you can buy a Yubikey without much of a

Re: Reaction to potential PGP schism

Hi Gioele-- On Thu 2023-12-21 11:02:06 +0100, Gioele Barabucci wrote: > On 21/12/23 04:16, Daniel Kahn Gillmor wrote: > As the Uploader of rust-sequoia-openpgp, what do you think of the > related sequoia-chameleon-gnupg project [1] (drop-in replacement for gpg > that uses sequoia internally)? >

Re: Reaction to potential PGP schism

Interesting point in this talk: The APT team is already working on non- PGP signatures. https://wiki.debian.org/Teams/Apt/Spec/AptSign I can see the advantages of that for release signatures which use a rarely changing set of keys. However, I do not see any good alternative for PGP for personal s

Re: Reaction to potential PGP schism

On Wed, Dec 20, 2023 at 10:16:28PM -0500, Daniel Kahn Gillmor wrote: > # Why is GnuPG on Debian's Critical Path? > > In 2023, I believe GnuPG is baked into our infrastructure largely due to > that project's idiosyncratic interface. It is challenging even for a > sophisticated engineer to figure

Re: Reaction to potential PGP schism

On 21/12/23 04:16, Daniel Kahn Gillmor wrote: # What Can Debian Do About This? I've attempted to chart one possible path out of part of this situation by proposing a minimized, simplified interface to some common baseline OpenPGP semantics -- in particular, the "Stateless OpenPGP" interface, or

Re: Reaction to potential PGP schism

Thank you very much  for your explanation  On Thu, Dec 21, 2023 at 2:13 AM, Christoph Biedl wrote: Daniel Kahn Gillmor wrote...(...)Thanks for your exhaustive description. I'd just like to point out onepoint:> In practice, i think it makes the most sense to eng

Re: Reaction to potential PGP schism

Daniel Kahn Gillmor wrote... (...) Thanks for your exhaustive description. I'd just like to point out one point: > In practice, i think it makes the most sense to engage with > well-documented, community-reviewed, interoperably-tested standards, and > the implementations that try to follow them.

Re: Reaction to potential PGP schism

hey folks-- [ This message won't make sense unless the reader distinguishes clearly between OpenPGP the protocol and GnuPG the implementation! As a community we have a history of fuzzily conflating the two terms, which is one of the reasons that we're in this mess today. Please read expli

Re: Reaction to potential PGP schism

On 17077 March 1977, Stephan Verbücheln wrote: How can Debian deal with this? Should Debian intervene to prevent the worst? We, as Debian, look and wait what comes out. And then *MAY* at some point decide to add (or switch to) a new thing, if that appears better. Also, it will be a high bar f

Re: Reaction to potential PGP schism

Hi, Personal view here. Stephan Verbücheln wrote on 14/12/2023 at 11:29:17+0100: > [[PGP Signed Part:No public key for 603542590A3C7C62 created at > 2023-12-14T11:29:17+0100 using EDDSA]] > Hello everyone > > As you probably know, Debian relies heavily on GnuPG for various > purposes, includin

Reaction to potential PGP schism

Hello everyone As you probably know, Debian relies heavily on GnuPG for various purposes, including: - developer communication - signing of tarballs and patches - automated processes such as update validation by APT The OpenPGP Working Group at IETF is currently working on a new standard. https: