Re: [Enigmail] jsunit updates and distribution
Am 17. September 2019 18:55:53 MESZ schrieb john doe : >On 9/17/2019 5:22 PM, Patrick Brunschwig wrote: >> john doe wrote on 17.09.2019 16:37: >>> On 9/17/2019 3:58 PM, Daniel Kahn Gillmor wrote: Hi Patrick, and other enigmail folks-- I'm trying to sort out enigmail 2.1 for debian with tbird 68. i note that to properly test the new enigmail, i need a newer >version of jsunit for the testing, so i'd like to ship that in debian too. at https://www.enigmail.net/jsunit/ i see that jsunit 0.2.2 is >available. i notice a few things that seem amiss with jsunit distribution. >I've ordered them from highest priority to lowest priority as i see it >-- but if you can fix any of them, that would be great: * The git repo at >https://git.code.sf.net/u/pbrunschwig/jsunit/source has no tags for anything after jsunit-0.2.0, even though https://www.enigmail.net/jsunit/ lists 0.2.1 and 0.2.2. * The git tags that i do see don't appear to be signed. Please >sign any new tags you create! >>> >>> And also, signing of commit. >> >> No, I won't sign commits. I'm fine signing tags (like I did for years >on >> Enigmail), but I will not sign commits. >> > >Do you mind explaining why you are against signing commits? > >-- >John Doe > >___ >enigmail-users mailing list >enigmail-users@enigmail.net >To unsubscribe or make changes to your subscription click here: >https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net In my eyes, a signature carries a certain value. By signing, I warrant a certain quality about the signed content. That's why I sign release tags, and some of my emails. But when it comes to commits, I don't warrant for anything. Some commits are good, some break things, some are bad attempts to fix something, etc. Also, since I'm mostly the only developer, there's no review on commits. In other words, unlike releases, there is no quality assurance on commits. Therefore, you'll never be able to convince me to sign commits. Patrick signature.asc Description: PGP signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] jsunit updates and distribution
On Tue 2019-09-17 18:55:53 +0200, john doe wrote:
> Do you mind explaining why you are against signing commits?
I'd like to understand what your proposed use case and value proposition
is for signed commits.
I can justify my call for signed tags -- i want to have cryptographic
provenenance for any software release that i package for debian. Note
that i want to package a *release* though -- not just some arbitrary
(possibly buggy) stage on the way to a release.
do you believe that branch rebases ("changing history") are acceptable
steps for free software developers to take in pursuit of a cleaner git
history?
Who do you expect to verify the signatures on the signed commits? when
should they verify them? what specific tests should they perform on the
signatures (e.g. "monotonically increasing in time", "signature timestamp
matches commit message timestamp", "author is from specific set", "no
existing commits ever disappear", etc)
I'm not saying that signed commits are never warranted -- i'm just not
sure what the specific hope is, and what kinds of attacks you hope to
mitigate, and how that practice applies to jsunit itself, since that's
what's under discussion here.
--dkg
signature.asc
Description: PGP signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] jsunit updates and distribution
Hi Patrick-- Thanks for your prompt fixes, i've just uploaded jsunit 0.2.2-1 to debian experimental for now. --dkg signature.asc Description: PGP signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] jsunit updates and distribution
On 9/17/2019 5:22 PM, Patrick Brunschwig wrote: > john doe wrote on 17.09.2019 16:37: >> On 9/17/2019 3:58 PM, Daniel Kahn Gillmor wrote: >>> Hi Patrick, and other enigmail folks-- >>> >>> I'm trying to sort out enigmail 2.1 for debian with tbird 68. >>> >>> i note that to properly test the new enigmail, i need a newer version of >>> jsunit for the testing, so i'd like to ship that in debian too. at >>> https://www.enigmail.net/jsunit/ i see that jsunit 0.2.2 is available. >>> >>> i notice a few things that seem amiss with jsunit distribution. I've >>> ordered them from highest priority to lowest priority as i see it -- but >>> if you can fix any of them, that would be great: >>> >>> * The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source >>>has no tags for anything after jsunit-0.2.0, even though >>>https://www.enigmail.net/jsunit/ lists 0.2.1 and 0.2.2. >>> >>> * The git tags that i do see don't appear to be signed. Please sign >>>any new tags you create! >>> >> >> And also, signing of commit. > > No, I won't sign commits. I'm fine signing tags (like I did for years on > Enigmail), but I will not sign commits. > Do you mind explaining why you are against signing commits? -- John Doe ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] unverified signatures
On 17/09/2019 17:05, Patrick Brunschwig wrote: > I suspect that you configured Enigmail or gpg to try to automatically > download missing keys, which may take quite a while. No, it is at it's default settings, so I did not change anything. Now that I look at the settings for the very first time, I see that it is set to automatically download signatures. But it does not download them automatically anyway so I guess the default server is useless. The next time I click on that message it happens all over again. Once I removed the server from the field, there is now no delay. Thanks Patrick. But I wonder why it appears to only be signatures added by enigmail that cause this long delay. ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] jsunit updates and distribution
john doe wrote on 17.09.2019 16:37: > On 9/17/2019 3:58 PM, Daniel Kahn Gillmor wrote: >> Hi Patrick, and other enigmail folks-- >> >> I'm trying to sort out enigmail 2.1 for debian with tbird 68. >> >> i note that to properly test the new enigmail, i need a newer version of >> jsunit for the testing, so i'd like to ship that in debian too. at >> https://www.enigmail.net/jsunit/ i see that jsunit 0.2.2 is available. >> >> i notice a few things that seem amiss with jsunit distribution. I've >> ordered them from highest priority to lowest priority as i see it -- but >> if you can fix any of them, that would be great: >> >> * The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source >>has no tags for anything after jsunit-0.2.0, even though >>https://www.enigmail.net/jsunit/ lists 0.2.1 and 0.2.2. >> >> * The git tags that i do see don't appear to be signed. Please sign >>any new tags you create! >> > > And also, signing of commit. No, I won't sign commits. I'm fine signing tags (like I did for years on Enigmail), but I will not sign commits. -Patrick signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] jsunit updates and distribution
Daniel Kahn Gillmor wrote on 17.09.2019 15:58:
> Hi Patrick, and other enigmail folks--
>
> I'm trying to sort out enigmail 2.1 for debian with tbird 68.
>
> i note that to properly test the new enigmail, i need a newer version of
> jsunit for the testing, so i'd like to ship that in debian too. at
> https://www.enigmail.net/jsunit/ i see that jsunit 0.2.2 is available.
>
> i notice a few things that seem amiss with jsunit distribution. I've
> ordered them from highest priority to lowest priority as i see it -- but
> if you can fix any of them, that would be great:
>
> * The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source
>has no tags for anything after jsunit-0.2.0, even though
>https://www.enigmail.net/jsunit/ lists 0.2.1 and 0.2.2.
0.2.1 can safely be ignored. It was required for some beta version of
TB, but changes in TB 68 forced me to create 0.2.2. I deleted 0.2.1 from
the downloads as it's plain useless.
> * The git tags that i do see don't appear to be signed. Please sign
>any new tags you create!
I created (and pushed) a signed 0.2.2 tag :-)
> * The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source
>has an erroneous tag jsunit-1.1.2 -- maybe you want to clean that up
>with something like (untested, i know this syntax works with
>branches, but i don't know about tags):
>
>git push origin :jsunit-1.1.2
That's a wrong tag indeed - I deleted it
> * The "file not found" situation below https://www.enigmail.net/jsunit/
>is weird. Rather than giving a 404 return code, a request for a
>missing URL gives a series of HTTP redirections which culminate in an
>HTTP 200 at https://www.enigmail.net/index.php/en/error-404 (that
>page *says* "Error 404 - Page not Found" in the text, but it's
>actually an HTTP 200 OK response!).
>
>This confuses debian's automatic upstream retrieval scripts ("uscan")
>when they hunt around for trial signatures. In particular, uscan
>tests the URL at https://www.enigmail.net/jsunit/jsunit-0.2.2.xpi.asc
>and then thinks that maybe a signature is available, because it
>follows the chain of redirects.
Yes, I created a jsunit-0.2.2.xpi.asc file
>The easiest way to avoid confusing uscan in the short term is just to
>ship .asc OpenPGP signatures alongside the .xpi bundles. but fixing
>the overall 404 handler would probably be a good thing at some point
>too.
Yes, I'll have to convince Joomla to do the correct thing...
-Patrick
signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] unverified signatures
Gary Curtin wrote on 17.09.2019 16:19: > When there is an unverified signature, the message takes ages to open in > Thunderbird. The same message opens almost immediately in Evolution. > > An example is the latest message just posted to the list from Daniel > Kahn Gillmor re: jsunit updates and distribution. > > It only happens on this list so I am assuming it is related to > signatures added by enigmail, as that is what the members are probably > using. I don't notice the same issue with other signed messages where I > know the signatures are not added by enigmail. > > Any suggestions on how to overcome this delay? I suspect that you configured Enigmail or gpg to try to automatically download missing keys, which may take quite a while. -Patrick ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] jsunit updates and distribution
On 9/17/2019 3:58 PM, Daniel Kahn Gillmor wrote: > Hi Patrick, and other enigmail folks-- > > I'm trying to sort out enigmail 2.1 for debian with tbird 68. > > i note that to properly test the new enigmail, i need a newer version of > jsunit for the testing, so i'd like to ship that in debian too. at > https://www.enigmail.net/jsunit/ i see that jsunit 0.2.2 is available. > > i notice a few things that seem amiss with jsunit distribution. I've > ordered them from highest priority to lowest priority as i see it -- but > if you can fix any of them, that would be great: > > * The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source >has no tags for anything after jsunit-0.2.0, even though >https://www.enigmail.net/jsunit/ lists 0.2.1 and 0.2.2. > > * The git tags that i do see don't appear to be signed. Please sign >any new tags you create! > And also, signing of commit. > * The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source >has an erroneous tag jsunit-1.1.2 -- maybe you want to clean that up >with something like (untested, i know this syntax works with >branches, but i don't know about tags): > >git push origin :jsunit-1.1.2 > Creating a new tag with the correct tag is best; I never remove something that is publicly available. -- John Doe ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] jsunit updates and distribution
Hi Patrick, and other enigmail folks--
I'm trying to sort out enigmail 2.1 for debian with tbird 68.
i note that to properly test the new enigmail, i need a newer version of
jsunit for the testing, so i'd like to ship that in debian too. at
https://www.enigmail.net/jsunit/ i see that jsunit 0.2.2 is available.
i notice a few things that seem amiss with jsunit distribution. I've
ordered them from highest priority to lowest priority as i see it -- but
if you can fix any of them, that would be great:
* The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source
has no tags for anything after jsunit-0.2.0, even though
https://www.enigmail.net/jsunit/ lists 0.2.1 and 0.2.2.
* The git tags that i do see don't appear to be signed. Please sign
any new tags you create!
* The git repo at https://git.code.sf.net/u/pbrunschwig/jsunit/source
has an erroneous tag jsunit-1.1.2 -- maybe you want to clean that up
with something like (untested, i know this syntax works with
branches, but i don't know about tags):
git push origin :jsunit-1.1.2
* The "file not found" situation below https://www.enigmail.net/jsunit/
is weird. Rather than giving a 404 return code, a request for a
missing URL gives a series of HTTP redirections which culminate in an
HTTP 200 at https://www.enigmail.net/index.php/en/error-404 (that
page *says* "Error 404 - Page not Found" in the text, but it's
actually an HTTP 200 OK response!).
This confuses debian's automatic upstream retrieval scripts ("uscan")
when they hunt around for trial signatures. In particular, uscan
tests the URL at https://www.enigmail.net/jsunit/jsunit-0.2.2.xpi.asc
and then thinks that maybe a signature is available, because it
follows the chain of redirects.
The easiest way to avoid confusing uscan in the short term is just to
ship .asc OpenPGP signatures alongside the .xpi bundles. but fixing
the overall 404 handler would probably be a good thing at some point
too.
Thanks for your work on enigmail!
--dkg
signature.asc
Description: PGP signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
