On 3/9/15 2:10 PM, Bob (Robert) Cavanaugh wrote:
you will not get your desired results by starting the conversation impuning the
work that went before and claiming that what you are asking for is far superior
OTOH, it's often useful when talking about a possible direction for new
projects to
mailto:h...@guardianproject.info]
>> Sent: Monday, March 09, 2015 12:08 PM
>> To: Bob (Robert) Cavanaugh; Peter Lebbing
>> Cc: gnupg
>> Subject: Re: Thoughts on GnuPG and automation
>>
>>
>> Why do I get so many responses like this on this list? I'v
you write before you send it, because
> that message was received loud and clear.
> >
> > Thanks,
> >
> > Bob Cavanaugh
> >
> >
> >> -Original Message-
> >> From: Hans-Christoph Steiner [mailto:h...@guardianproject.info]
> >
t; From: Hans-Christoph Steiner [mailto:h...@guardianproject.info]
> Sent: Monday, March 09, 2015 12:08 PM
> To: Bob (Robert) Cavanaugh; Peter Lebbing
> Cc: gnupg
> Subject: Re: Thoughts on GnuPG and automation
>
>
> Why do I get so many responses like this on this list? I&
-users-boun...@gnupg.org] On Behalf Of Hans of
> Guardian
> Sent: Tuesday, March 03, 2015 3:55 PM
> To: Peter Lebbing
> Cc: gnupg
> Subject: Re: Thoughts on GnuPG and automation
>
>
> On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
>
>
> In Android, you can't
Werner Koch:
> On Tue, 3 Mar 2015 21:29, h...@guardianproject.info said:
>
>> * Android will kill apps when it needs to, app lifecycle is automatically
>> managed,
>> the app has no control over it, and often zero warning is given
>
> That is the same as with Linux. Ever heard of the OOM kil
On 04.03.15 12:48, Werner Koch wrote:
>> that doesn't tell you about proprietary projects that have chosen not to
>> > use GPGME. I've had clients refuse to use GPGME because of the
>> > licensing, even under the LGPLv2.1. (Foolish, I know.) Other times
> And I have had several hints that it was
On 04.03.15 18:21, Bjarni Runar Einarsson wrote:
> GPGME proponents will be frustrated to hear that this knowledge actually
> makes me feel much better about Mailpile's decision to wrap gpg
> directly: it means I've removed two layers of abstraction between my
> code and gpg! Win! Although supposed
On 04.03.15 01:55, Hans of Guardian wrote:
> In Android, you can't really have shared libraries. Apps share functionality
> at a higher level (aka Activities and Services).
Qt applications can share Qt libraries [1] with an external dependency
called Ministro [2].
[1]: http://doc.qt.io/qtcreato
Werner Koch wrote:
>
> > I think that one solution would be to have mailpile use a per-session
> > gpg home dir.
>
> That is an architectural decision.
>
> BTW, gpg-agent has this --extra-socket feature which distinguishes
> between remote and local use (modulo some discussed changes). It woul
On Wed, 04 Mar 2015 10:50:53 +0100
"Robert J. Hansen" wrote:
> The possibility of *every encrypted communication* being intercepted
> and stored for later exploitation ... is not real, and we need to stop
> treating it as such.
I remember when we used to think this about the NSA or GCHQ taking i
On Tue, 3 Mar 2015 16:23, br...@minton.name said:
> It breaks mailpile because gpg-agent is not session aware. A user could
> be logged in locally, using mailpile, and a remote attacker could access
> the web interface of that locally running mailpile instance, which since
> it is talking to the
On Wed, 4 Mar 2015 11:10, pe...@digitalbrains.com said:
>
> [JSON]
>
> [GPGME]
That already exists: gpgme-tool. It creates
output in XML but adding an option for JSON output should be
straightforward.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz
> That has not been said.
Not by you, correct. I've heard it from others.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
On Wed, 4 Mar 2015 10:57, r...@sixdemonbag.org said:
> You're looking at FOSS projects that have successfully used GPGME, but
Sure.
> that doesn't tell you about proprietary projects that have chosen not to
> use GPGME. I've had clients refuse to use GPGME because of the
> licensing, even unde
On Wed, 4 Mar 2015 10:50, r...@sixdemonbag.org said:
>> I don't known for sure about encrypted mail but it is known that
>> https connection information is recorded and stored for future
>> attacks:
>
> Perhaps. Plausible, even, given storage requirements for connection
> information. But stor
On 04/03/15 00:55, Hans of Guardian wrote:
> [...] what I'm trying to say is that for programming environments
> where GPGME does not make sense, there should be the ability to
> easily make a native version of what GPGME is doing.
Couldn't this be achieved by writing a C program that, for instanc
On 03/03/15 14:29, Hans of Guardian wrote:
> It is actually more difficult to wrap GPGME in Java than to have just
> rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad
> API for other languages. You end up with an API that feels like a C
> API forced into the language, e.g. Java,
On Tue, 3 Mar 2015 21:29, h...@guardianproject.info said:
> * Android will kill apps when it needs to, app lifecycle is automatically
> managed,
> the app has no control over it, and often zero warning is given
That is the same as with Linux. Ever heard of the OOM killer?
> * Android was not
> It can't be that bad:
>
> $ apt-cache rdepends libgpgme11 | wc -l 84
>
> and the majority of problems I hear are by projects which do not use
> GPGME. So I wonder a bit about your statement.
You're looking at FOSS projects that have successfully used GPGME, but
that doesn't tell you about pr
> I don't known for sure about encrypted mail but it is known that
> https connection information is recorded and stored for future
> attacks:
Perhaps. Plausible, even, given storage requirements for connection
information. But storing traffic, when 99.99% of it is good --
that's ridiculou
On Wed, 4 Mar 2015 01:43, robe...@broadcom.com said:
> I think Peter and the group already adequately answered this: If GPGME
> is not providing an interface that meets Android requirements, then
> look into how GPGME interfaces to GPG and emulate that interface.
FWIW, EasyPG, the GnuPG interfac
On Wed, 4 Mar 2015 00:50, h...@guardianproject.info said:
> If you are interested, you should read the details. Because you are
> missing some key details here. I believe they log all PGP encrypted
> communication. That would be easy for them to do. I don't know about
> HTTPS.
I don't known
On Wed, 4 Mar 2015 01:45, r...@sixdemonbag.org said:
> ever hacked on GnuPG has found situations where GPGME isn't a good
> solution, sometimes for architectural reasons and sometimes for API
> reasons and sometimes for language binding reasons and sometimes for
> licensing reasons and... etc.
I
> And that is why this thread is going on, so hopefully we can come to
> an agreement that there are many areas where GnuPG can be used but
> GPGME is a bad solution to do it.
Maybe I'm a little irritable here, but -- pretty much everyone who's
ever hacked on GnuPG has found situations where GPG
On Mar 3, 2015, at 8:52 PM, Werner Koch wrote:
> On Tue, 3 Mar 2015 14:29, h...@guardianproject.info said:
>
>> It is actually more difficult to wrap GPGME in Java than to have just
>> rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad
>
> Sorry, but that is not your problem.
rdian
Sent: Tuesday, March 03, 2015 3:55 PM
To: Peter Lebbing
Cc: gnupg
Subject: Re: Thoughts on GnuPG and automation
On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
In Android, you can't really have shared libraries. Apps share functionality
at a higher level (aka Activities and Services).
> If you are interested, you should read the details.
Did. Have.
> Because you are missing some key details here.
In other words, "you're wrong, but I'm not going to present any evidence
or reasoning, I'm just going to make vague statements about how you're
missing details which I am privy to."
On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
> On 03/03/15 18:29, Hans of Guardian wrote:
>> Android has an installed base of hundreds of millions. Desktop UNIX
>> is the exotic system here as compared to Windows, Android, etc.
>
> I have no idea about how difficult it is to launch the gpg
On Mar 3, 2015, at 7:31 PM, Robert J. Hansen wrote:
>> This is definitely public information from the Snowden leaks. There
>> is also quite a bit of information about other governments doing
>> similar things. Here's one example article:
>
> If all encrypted traffic is deemed suspicious, the
On 4 Mar 2015 at 7:47, Sandeep Murthy wrote:
[...]
> Once such a data retention law is in place it is dangerous because
> inevitably there is a "mission creep" that sets in - it is not
> hard to imagine one day that encryption software users, maybe GPG
> users, will be required to disclose informa
> On 4 Mar 2015, at 07:24, Ingo Klöcker wrote:
> After the recent terrorist attacks in Paris and Brussels some German
> politicians are again arguing that we need Vorratsdatenspeicherung (data
> retention, i.e. storage of all communication meta data for 6 months) in
> Germany to prevent such atta
On 3 Mar 2015 at 21:24, Ingo Klöcker wrote:
[..]
> After the recent terrorist attacks in Paris and Brussels some German
> politicians are again arguing that we need Vorratsdatenspeicherung
> (data retention, i.e. storage of all communication meta data for 6
> months) in Germany to prevent such att
On Tue, 3 Mar 2015 21:24:15 +0100
Ingo Klöcker wrote:
Hello Ingo,
>of terror. Still this completely pants-on-head absurd policy will
>become reality if those German politicians get what they want.
It's not just in Germany: Politicians across the world utilise similar
scaremongering tactics to
On Tuesday 03 March 2015 19:31:14 Robert J. Hansen wrote:
> > This is definitely public information from the Snowden leaks. There
> > is also quite a bit of information about other governments doing
>
> > similar things. Here's one example article:
> If all encrypted traffic is deemed suspicious
On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
> On 03/03/15 18:29, Hans of Guardian wrote:
>> Android has an installed base of hundreds of millions. Desktop UNIX
>> is the exotic system here as compared to Windows, Android, etc.
>
> I have no idea about how difficult it is to launch the gpg
On Tue, 3 Mar 2015 14:29, h...@guardianproject.info said:
> It is actually more difficult to wrap GPGME in Java than to have just
> rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad
Sorry, but that is not your problem. The problem on Android seems to be
that it is not easy to
> Android has an installed base of hundreds of millions.
So?
GnuPG and GPGME are products of their birth, just like anything else.
It was built for desktop operating systems. If you want to make it live
in the mobile space, go with God and I wish you all the luck in the
world -- but if GPGME isn
> This is definitely public information from the Snowden leaks. There
> is also quite a bit of information about other governments doing
> similar things. Here's one example article:
If all encrypted traffic is deemed suspicious, then 99.999% of the
suspicious set -- Amazon transactions, G
On 03/03/15 18:29, Hans of Guardian wrote:
> Android has an installed base of hundreds of millions. Desktop UNIX
> is the exotic system here as compared to Windows, Android, etc.
I have no idea about how difficult it is to launch the gpg binary with a
few pipes attached to a few file descriptors
On Mar 3, 2015, at 5:49 PM, Robert J. Hansen wrote:
>> Different programming languages and operating systems can have very
>> different ways of launching and handling external processes.
>
> Eh. Different operating systems, sure: that's the nature of kernels.
> They provide different syscalls,
On Mar 3, 2015, at 5:01 PM, Robert J. Hansen wrote:
> Hans, please trim your quoted material.
>
>> They would need to use a specialized system, and that specialized
>> system might then be a marker of suspicion (for example, lots of
>> governments, including the NSA, already mark all PGP message
> Different programming languages and operating systems can have very
> different ways of launching and handling external processes.
Eh. Different operating systems, sure: that's the nature of kernels.
They provide different syscalls, and that's at root how you launch an
external process -- by m
On Mar 3, 2015, at 4:43 PM, Peter Lebbing wrote:
> On 03/03/15 14:29, Hans of Guardian wrote:
>> It is actually more difficult to wrap GPGME in Java than to have just
>> rewritten GPGME in Java.
>
> In my opinion, if this is the case, then that is indeed the proper
> solution: write a general-pu
Yeah, mailpile has a very unusual architecture, so its no surprise it'll need
some unusual tricks. Unusual tricks in software that aims to be secure
generally make me nervous since it is important to keep code readable and
understandable for both the core devs, but also contributors, auditors,
Hans, please trim your quoted material.
> They would need to use a specialized system, and that specialized
> system might then be a marker of suspicion (for example, lots of
> governments, including the NSA, already mark all PGP messages as
> suspicious).
Unless you've got a desk somewhere deep
On Feb 27, 2015, at 1:19 PM, Bjarni Runar Einarsson wrote:
> Hi Hans-Christoph!
>
> Hans-Christoph Steiner wrote:
>> With all the recent attention to GnuPG and Werner's work, I have begun to
>> think about things differently. GnuPG has an amazing security track record.
>> It has had few seriou
On 03/03/15 14:29, Hans of Guardian wrote:
> It is actually more difficult to wrap GPGME in Java than to have just
> rewritten GPGME in Java.
In my opinion, if this is the case, then that is indeed the proper
solution: write a general-purpose library à la GPGME, but don't call gpg
directly from yo
It breaks mailpile because gpg-agent is not session aware. A user could
be logged in locally, using mailpile, and a remote attacker could access
the web interface of that locally running mailpile instance, which since
it is talking to the same gpg-agent, would think the remote user is
logged in (o
On Feb 27, 2015, at 3:09 PM, Peter Lebbing wrote:
> On 27/02/15 12:02, Hans-Christoph Steiner wrote:
>> For example, I think that
>> `gpg --json` is great idea. I ended up using a Java wrapper of GPGME, which
>> is in turn a wrapper of GnuPG. I think it makes a lot more sense to have
>> `gpg
>
Hi Dan,
I dedicated an most of the blog post to answering that question (why it
breaks Mailpile), did you not read it or did I fail to communicate?
- Bjarni
On 28 Feb 2015 12:44, "Daniel Kahn Gillmor" wrote:
> On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson
> wrote:
> > I think you mi
On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson
wrote:
> I think you misunderstood my complaint. I don't mind if the agent is a
> persistance daemon that provides GPG-related services, that's all well
> and good. It's good process separation and I have no problem with that.
>
> My gripe
Yes, but the colon protocol doesn't support things like passphrase entry, etc.
On Fri, Feb 27, 2015 at 9:09 AM, Peter Lebbing wrote:
> On 27/02/15 12:02, Hans-Christoph Steiner wrote:
>> For example, I think that
>> `gpg --json` is great idea. I ended up using a Java wrapper of GPGME, which
>> i
On 27/02/15 12:02, Hans-Christoph Steiner wrote:
> For example, I think that
> `gpg --json` is great idea. I ended up using a Java wrapper of GPGME, which
> is in turn a wrapper of GnuPG. I think it makes a lot more sense to have `gpg
> --json` as the parseble interface, then implement a GPGME-st
Hi Hans-Christoph!
Hans-Christoph Steiner wrote:
> With all the recent attention to GnuPG and Werner's work, I have begun to
> think about things differently. GnuPG has an amazing security track record.
> It has had few serious security bugs, nothing even close to heartbleed that I
> know of, an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 12:02 PM, Hans-Christoph Steiner wrote:
>
> Bjarni Runar Einarsson wrote:
>> Hello GnuPG users!
..
>
> With all the recent attention to GnuPG and Werner's work, I have
> begun to think about things differently. GnuPG has an amazing
Bjarni Runar Einarsson wrote:
> Hello GnuPG users!
>
> I just published a follow-up to Smári's blog post about the Mailpile
> team's frustration while working with GnuPG. The post is here:
>
>
> https://www.mailpile.is/blog/2015-02-26_Revisiting_the_GnuPG_discussion.html
>
> As it's rather
Hey Werner,
Yes, please do take your time.
I'm happy to hear you consider automation an important thing. I assume
that means the current limitations on that front are largely due to a
lack of developer resources - which I don't intend to badger you about,
my project suffers from the same.
Relate
On Thu, 26 Feb 2015 15:57, b...@pagekite.net said:
> As it's rather long, I won't paste the whole thing in here, but I do
Please give me a few days to comment on this. I have some urgent tasks
right now. But as a first hint: automation has never been second class
citizen and has been build into
59 matches
Mail list logo
