Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
Hi, Frank. Thanks so much for the feedback. Responses below. On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT fp...@klabs.be wrote: On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote: * Package name: xul-ext-monkeysphere Version : 0.1 The package description could mention that this is an early/alpha/experimental release, to avoid deception (and encourage feed-back) This extension definitely is in the early stages of development, but it is working for most cases now, and the developers are using it routinely. I'm also not sure how we would indicate that it's alpha or experimental in the Package: or Version: fields of the control file, which I think is what you're implying. Do you have a suggestion for that? Wouldn't it be better to state that it's a replacement for X509 certificates? (there is probably an even better wording, but I can't find it). Monkeysphere is not actually a replacement for X.509, at least not in the sense of using Monkeysphere *or* X.509. The goal of Monkeysphere, broadly, is to expand the usage of OpenPGP for authentication on the net. In the context of the web, the Monkeysphere xul extension can be used to validate sites that have put their host keys on the OpenPGP Web of Trust (WOT). However, the extension actually currently relies upon sites providing an X.509 certificate through normal TLS channels. We provide a fallback validation check using the WOT when the standard X.509 validation fails. Our goal is not to disrupt standard X.509 validation if the user wishes to continue to rely upon it, but to instead provide an alternative to standard X.509 validation that uses OpenPGP and the WOT. I agree, though, that it is relevant to mention X.509 in the package description, at least in the sense of providing an alternative, but I feel like we're currently doing that with this bit: This extensions enables Monkeysphere checking of X.509 certificates from https hosts whose keys are in the web of trust. Does this not seem clear enough? Or is there something else that we're missing in the description to make things clearer? The long description should mention that this package contains an Iceweasel extensions, maybe: This package contains an Iceweasel/Firefox extensions to use Monkeysphere for checking of X.509 certificates from https hosts whose keys are in the web of trust. Good point. We'll fix that. My 2 cents, Always appreciated! jamie. pgpbywpWm7TvX.pgp Description: PGP signature
Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
On Mon, 2010-05-03 at 12:13 -0400, Jameson Rollins wrote: Hi, Frank. Thanks so much for the feedback. Responses below. On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT fp...@klabs.be wrote: On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote: * Package name: xul-ext-monkeysphere Version : 0.1 The package description could mention that this is an early/alpha/experimental release, to avoid deception (and encourage feed-back) This extension definitely is in the early stages of development, but it is working for most cases now, and the developers are using it routinely. I'm also not sure how we would indicate that it's alpha or experimental in the Package: or Version: fields of the control file, which I think is what you're implying. Do you have a suggestion for that? I have gathered some existing excuses, but none seems to fit your need. http://wiki.debian.org/PackagesDescriptions/Fragments Based on what you told, upstream might want to number it 0.9 ;) Still, let me give a try: Although the program is still in development stage, It already have some useful features, and it is quite stable Feel free to adjust or rewrite it. Wouldn't it be better to state that it's a replacement for X509 certificates? (there is probably an even better wording, but I can't find it). Monkeysphere is not actually a replacement for X.509, at least not in the sense of using Monkeysphere *or* X.509. The goal of Monkeysphere, broadly, is to expand the usage of OpenPGP for authentication on the net. In the context of the web, the Monkeysphere xul extension can be used to validate sites that have put their host keys on the OpenPGP Web of Trust (WOT). However, the extension actually currently relies upon sites providing an X.509 certificate through normal TLS channels. We provide a fallback validation check using the WOT when the standard X.509 validation fails. Our goal is not to disrupt standard X.509 validation if the user wishes to continue to rely upon it, but to instead provide an alternative to standard X.509 validation that uses OpenPGP and the WOT. ok we just have to figure out how to write that in 4 or 5 lines ;) Monkeysphere uses OpenPGP's « Web of Trust » to validate X509 certificates that aren't signed by a known certificate authorities (CA). We could also something like this: In regular public key infrastructure (PKI), X509 certificates are signed by a third party organisations, that are considered to be trusted by both the webserver-admin and the web-browser vendor. I agree, though, that it is relevant to mention X.509 in the package description, at least in the sense of providing an alternative, but I feel like we're currently doing that with this bit: This extensions enables Monkeysphere checking of X.509 certificates from https hosts whose keys are in the web of trust. Does this not seem clear enough? Or is there something else that we're missing in the description to make things clearer? The long description should mention that this package contains an Iceweasel extensions, maybe: This package contains an Iceweasel/Firefox extensions to use Monkeysphere for checking of X.509 certificates from https hosts whose keys are in the web of trust. Good point. We'll fix that. Again, just my 2 cents ;) Franklin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote: * Package name: xul-ext-monkeysphere Version : 0.1 The package description could mention that this is an early/alpha/experimental release, to avoid deception (and encourage feed-back) Description : Iceweasel/Firefox extension for using Monkeysphere on the web Monkeysphere is a system for using the OpenPGP web of trust as a PKI for rsa keys. ^^^ Is it appropriate to name those keys RSA Wouldn't it be better to state that it's a replacement for X509 certificates? (there is probably an even better wording, but I can't find it). This extensions enables Monkeysphere checking of X.509 certificates from https hosts whose keys are in the web of trust. The long description should mention that this package contains an Iceweasel extensions, maybe: This package contains an Iceweasel/Firefox extensions to use Monkeysphere for checking of X.509 certificates from https hosts whose keys are in the web of trust. My 2 cents, Franklin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
Am Sonntag, den 25.04.2010, 20:46 -0400 schrieb Jameson Rollins: There's actually already a package called monkeysphere, with a corresponding source package called monkeysphere. Ok. On my first quick check I haven't found it (probably due to a typo). The upstream source for this package is actually being referred to as xul-ext-monkeysphere. Is there some reason that can't be used as the source package name? There is no reason against it. I thought that the upstream project was called monkeysphere, but I didn't recognized that is was a different package. My objection has become meaningless. You may want to use mozilla-devscripts [1] for packaging. Just a notice to upstream: monkeysphere-extension would be an alternative name to xul-ext-monkeysphere. [1] http://wiki.debian.org/mozilla-devscripts -- Benjamin Drung Ubuntu Developer (www.ubuntu.com) | Debian Maintainer (www.debian.org) signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
Package: wnpp Severity: wishlist Owner: Jameson Rollins jroll...@finestructure.net Owner: Jameson Rollins jroll...@finestructure.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 * Package name: xul-ext-monkeysphere Version : 0.1 Upstream Author : monkeysph...@lists.riseup.net * URL : http://web.monkeysphere.info/ * License : GPLv3 Programming Lang: javascript Description : Iceweasel/Firefox extension for using Monkeysphere on the web Monkeysphere is a system for using the OpenPGP web of trust as a PKI for rsa keys. . This extensions enables Monkeysphere checking of X.509 certificates from https hosts whose keys are in the web of trust. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJL1MXNAAoJEO00zqvie6q8gB8P/iGOhMgFRqIGeONEF6xR/ANv V+Kwq3NMWT5AEApltFV6JKcpKmpTafET8WLOOlS9Ro1bjFAJ4H8D5Ae1OwlHF4F1 EHHeMeLZ4uheB3HEQZ6h29hDio8/N4wZEDNJmequ23NC+V2SXtDqxY2KJ77kNEsP IWcbbuJQLQRcpihBz9Z58KuylMj1OMFzkesXo6q/lv6bPnIo+0L/IlakSxXP0uTE mGc4H/2NBt+qkOUqRxHLySrsxNSaxwr46UekpDeQfSyNH2jzNE3Wtal9WrFHPiOa jl86fUqZols0HCDCQTe4EL4NoBLyHyfjFtywjip9LUK6u8rKEPhlFtjX4jwOVOlL Q3cNTyIVDp5Td0WKqFpmLc8QhnVdkMw7wXBswieywfhfdb+9zJ4KlK2HBa9FiXIb zk4U+3uF5gqZsthPfW6RQBsCHeYOiUjp+R/LSiucOoFXZKVcGJpB9ZXYpaCJHEkF nhBFIvxJ5hlNKOwnt6a95aqcM34fR/tAO2D66dJnK452xiSYzh3rWRTcJywKt4ZL VMyPCaR51UDyuSA6NgcGMw2vxwoKbIesgPzZXHw+5wWw2DeUV1sGJcPqs6UlEQaT b4zi0ALl3ZgBH6rMtmlFhCZHfxANDdo0vNNiA1X7B5UgB+tL+DNuaMP4/yfNG6MR nmGSen+o53Ljt8ZxHmW7 =d48a -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
Am Sonntag, den 25.04.2010, 18:44 -0400 schrieb Jameson Graef Rollins: Package: wnpp Severity: wishlist Owner: Jameson Rollins jroll...@finestructure.net Owner: Jameson Rollins jroll...@finestructure.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 * Package name: xul-ext-monkeysphere Version : 0.1 Upstream Author : monkeysph...@lists.riseup.net * URL : http://web.monkeysphere.info/ * License : GPLv3 Programming Lang: javascript Description : Iceweasel/Firefox extension for using Monkeysphere on the web Monkeysphere is a system for using the OpenPGP web of trust as a PKI for rsa keys. . This extensions enables Monkeysphere checking of X.509 certificates from https hosts whose keys are in the web of trust. Please call the source package name monkeysphere and only the binary package name xul-ext-monkeysphere. -- Benjamin Drung Ubuntu Developer (www.ubuntu.com) | Debian Maintainer (www.debian.org) signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
On Mon, 26 Apr 2010 01:09:37 +0200, Benjamin Drung bdr...@ubuntu.com wrote: Please call the source package name monkeysphere and only the binary package name xul-ext-monkeysphere. Hi, Benjamin. Thanks for the response. There's actually already a package called monkeysphere, with a corresponding source package called monkeysphere. The upstream source for this package is actually being referred to as xul-ext-monkeysphere. Is there some reason that can't be used as the source package name? Thanks. jamie. pgpgXbAm02HhC.pgp Description: PGP signature