[mailto:h...@guardianproject.info]
Sent: Monday, March 09, 2015 12:08 PM
To: Bob (Robert) Cavanaugh; Peter Lebbing
Cc: gnupg
Subject: Re: Thoughts on GnuPG and automation
Why do I get so many responses like this on this list? I've spent a ton of
time
solving our own problems
On 3/9/15 2:10 PM, Bob (Robert) Cavanaugh wrote:
you will not get your desired results by starting the conversation impuning the
work that went before and claiming that what you are asking for is far superior
OTOH, it's often useful when talking about a possible direction for new
projects to
: Thoughts on GnuPG and automation
Why do I get so many responses like this on this list? I've spent a
ton of time solving our own problems with the Android port, we also
made sure to take out a support contract with Werner to pay him to
answer our questions. I only wish we'd had more so
To: Peter Lebbing
Cc: gnupg
Subject: Re: Thoughts on GnuPG and automation
On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
In Android, you can't really have shared libraries. Apps share functionality
at a higher level (aka Activities and Services). So GnuPG-for-Android _is_
the shared
Werner Koch:
On Tue, 3 Mar 2015 21:29, h...@guardianproject.info said:
* Android will kill apps when it needs to, app lifecycle is automatically
managed,
the app has no control over it, and often zero warning is given
That is the same as with Linux. Ever heard of the OOM killer?
OOM
Werner Koch w...@gnupg.org wrote:
I think that one solution would be to have mailpile use a per-session
gpg home dir.
That is an architectural decision.
BTW, gpg-agent has this --extra-socket feature which distinguishes
between remote and local use (modulo some discussed changes). It
On 04.03.15 01:55, Hans of Guardian wrote:
In Android, you can't really have shared libraries. Apps share functionality
at a higher level (aka Activities and Services).
Qt applications can share Qt libraries [1] with an external dependency
called Ministro [2].
[1]:
On 04.03.15 18:21, Bjarni Runar Einarsson wrote:
GPGME proponents will be frustrated to hear that this knowledge actually
makes me feel much better about Mailpile's decision to wrap gpg
directly: it means I've removed two layers of abstraction between my
code and gpg! Win! Although supposedly
On 04.03.15 12:48, Werner Koch wrote:
that doesn't tell you about proprietary projects that have chosen not to
use GPGME. I've had clients refuse to use GPGME because of the
licensing, even under the LGPLv2.1. (Foolish, I know.) Other times
And I have had several hints that it was used
On Wed, 4 Mar 2015 00:57, h...@guardianproject.info said:
thread at this point. The bizarre Java wrapper of GPGME was not the
biggest part of the problem of the GnuPG-for-Android port, but it was
nonetheless a real problem. Sure it is possible to use GPGME with
You mean Stefan's decade old
On Wed, 4 Mar 2015 00:50, h...@guardianproject.info said:
If you are interested, you should read the details. Because you are
missing some key details here. I believe they log all PGP encrypted
communication. That would be easy for them to do. I don't know about
HTTPS.
I don't known for
On Wed, 4 Mar 2015 01:43, robe...@broadcom.com said:
I think Peter and the group already adequately answered this: If GPGME
is not providing an interface that meets Android requirements, then
look into how GPGME interfaces to GPG and emulate that interface.
FWIW, EasyPG, the GnuPG interface
On Tue, 3 Mar 2015 21:29, h...@guardianproject.info said:
* Android will kill apps when it needs to, app lifecycle is automatically
managed,
the app has no control over it, and often zero warning is given
That is the same as with Linux. Ever heard of the OOM killer?
* Android was not
On 03/03/15 14:29, Hans of Guardian wrote:
It is actually more difficult to wrap GPGME in Java than to have just
rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad
API for other languages. You end up with an API that feels like a C
API forced into the language, e.g. Java,
It can't be that bad:
$ apt-cache rdepends libgpgme11 | wc -l 84
and the majority of problems I hear are by projects which do not use
GPGME. So I wonder a bit about your statement.
You're looking at FOSS projects that have successfully used GPGME, but
that doesn't tell you about
I don't known for sure about encrypted mail but it is known that
https connection information is recorded and stored for future
attacks:
Perhaps. Plausible, even, given storage requirements for connection
information. But storing traffic, when 99.99% of it is good --
that's ridiculous.
On Wed, 4 Mar 2015 01:45, r...@sixdemonbag.org said:
ever hacked on GnuPG has found situations where GPGME isn't a good
solution, sometimes for architectural reasons and sometimes for API
reasons and sometimes for language binding reasons and sometimes for
licensing reasons and... etc.
It
On Wed, 4 Mar 2015 10:57, r...@sixdemonbag.org said:
You're looking at FOSS projects that have successfully used GPGME, but
Sure.
that doesn't tell you about proprietary projects that have chosen not to
use GPGME. I've had clients refuse to use GPGME because of the
licensing, even under
That has not been said.
Not by you, correct. I've heard it from others.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
On 04/03/15 00:55, Hans of Guardian wrote:
[...] what I'm trying to say is that for programming environments
where GPGME does not make sense, there should be the ability to
easily make a native version of what GPGME is doing.
Couldn't this be achieved by writing a C program that, for instance,
On Tue, 3 Mar 2015 16:23, br...@minton.name said:
It breaks mailpile because gpg-agent is not session aware. A user could
be logged in locally, using mailpile, and a remote attacker could access
the web interface of that locally running mailpile instance, which since
it is talking to the
On Wed, 4 Mar 2015 10:50, r...@sixdemonbag.org said:
I don't known for sure about encrypted mail but it is known that
https connection information is recorded and stored for future
attacks:
Perhaps. Plausible, even, given storage requirements for connection
information. But storing
On Wed, 4 Mar 2015 11:10, pe...@digitalbrains.com said:
Your easily written native library
[JSON]
Program written in C
[GPGME]
That Program written in C already exists: gpgme-tool. It creates
output in XML but adding an option for JSON output should be
straightforward.
Shalom-Salam,
On Wed, 04 Mar 2015 10:50:53 +0100
Robert J. Hansen r...@sixdemonbag.org wrote:
The possibility of *every encrypted communication* being intercepted
and stored for later exploitation ... is not real, and we need to stop
treating it as such.
I remember when we used to think this about the NSA
On Feb 27, 2015, at 3:09 PM, Peter Lebbing wrote:
On 27/02/15 12:02, Hans-Christoph Steiner wrote:
For example, I think that
`gpg --json` is great idea. I ended up using a Java wrapper of GPGME, which
is in turn a wrapper of GnuPG. I think it makes a lot more sense to have
`gpg
--json`
On 03/03/15 14:29, Hans of Guardian wrote:
It is actually more difficult to wrap GPGME in Java than to have just
rewritten GPGME in Java.
In my opinion, if this is the case, then that is indeed the proper
solution: write a general-purpose library à la GPGME, but don't call gpg
directly from
On Feb 27, 2015, at 1:19 PM, Bjarni Runar Einarsson wrote:
Hi Hans-Christoph!
Hans-Christoph Steiner h...@guardianproject.info wrote:
With all the recent attention to GnuPG and Werner's work, I have begun to
think about things differently. GnuPG has an amazing security track record.
It
Yeah, mailpile has a very unusual architecture, so its no surprise it'll need
some unusual tricks. Unusual tricks in software that aims to be secure
generally make me nervous since it is important to keep code readable and
understandable for both the core devs, but also contributors,
On Mar 3, 2015, at 4:43 PM, Peter Lebbing wrote:
On 03/03/15 14:29, Hans of Guardian wrote:
It is actually more difficult to wrap GPGME in Java than to have just
rewritten GPGME in Java.
In my opinion, if this is the case, then that is indeed the proper
solution: write a general-purpose
Different programming languages and operating systems can have very
different ways of launching and handling external processes.
Eh. Different operating systems, sure: that's the nature of kernels.
They provide different syscalls, and that's at root how you launch an
external process -- by
On 03/03/15 18:29, Hans of Guardian wrote:
Android has an installed base of hundreds of millions. Desktop UNIX
is the exotic system here as compared to Windows, Android, etc.
I have no idea about how difficult it is to launch the gpg binary with a
few pipes attached to a few file descriptors
Android has an installed base of hundreds of millions.
So?
GnuPG and GPGME are products of their birth, just like anything else.
It was built for desktop operating systems. If you want to make it live
in the mobile space, go with God and I wish you all the luck in the
world -- but if GPGME
This is definitely public information from the Snowden leaks. There
is also quite a bit of information about other governments doing
similar things. Here's one example article:
If all encrypted traffic is deemed suspicious, then 99.999% of the
suspicious set -- Amazon transactions,
On Tue, 3 Mar 2015 14:29, h...@guardianproject.info said:
It is actually more difficult to wrap GPGME in Java than to have just
rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad
Sorry, but that is not your problem. The problem on Android seems to be
that it is not easy to
On 3 Mar 2015 at 21:24, Ingo Klöcker wrote:
[..]
After the recent terrorist attacks in Paris and Brussels some German
politicians are again arguing that we need Vorratsdatenspeicherung
(data retention, i.e. storage of all communication meta data for 6
months) in Germany to prevent such
On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
On 03/03/15 18:29, Hans of Guardian wrote:
Android has an installed base of hundreds of millions. Desktop UNIX
is the exotic system here as compared to Windows, Android, etc.
I have no idea about how difficult it is to launch the gpg binary
On Tuesday 03 March 2015 19:31:14 Robert J. Hansen wrote:
This is definitely public information from the Snowden leaks. There
is also quite a bit of information about other governments doing
similar things. Here's one example article:
If all encrypted traffic is deemed suspicious, then
On 4 Mar 2015, at 07:24, Ingo Klöcker kloec...@kde.org wrote:
After the recent terrorist attacks in Paris and Brussels some German
politicians are again arguing that we need Vorratsdatenspeicherung (data
retention, i.e. storage of all communication meta data for 6 months) in
Germany to
On Tue, 3 Mar 2015 21:24:15 +0100
Ingo Klöcker kloec...@kde.org wrote:
Hello Ingo,
of terror. Still this completely pants-on-head absurd policy will
become reality if those German politicians get what they want.
It's not just in Germany: Politicians across the world utilise similar
On 4 Mar 2015 at 7:47, Sandeep Murthy wrote:
[...]
Once such a data retention law is in place it is dangerous because
inevitably there is a mission creep that sets in - it is not
hard to imagine one day that encryption software users, maybe GPG
users, will be required to disclose information
If you are interested, you should read the details.
Did. Have.
Because you are missing some key details here.
In other words, you're wrong, but I'm not going to present any evidence
or reasoning, I'm just going to make vague statements about how you're
missing details which I am privy to.
On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
On 03/03/15 18:29, Hans of Guardian wrote:
Android has an installed base of hundreds of millions. Desktop UNIX
is the exotic system here as compared to Windows, Android, etc.
I have no idea about how difficult it is to launch the gpg binary
And that is why this thread is going on, so hopefully we can come to
an agreement that there are many areas where GnuPG can be used but
GPGME is a bad solution to do it.
Maybe I'm a little irritable here, but -- pretty much everyone who's
ever hacked on GnuPG has found situations where GPGME
On Mar 3, 2015, at 8:52 PM, Werner Koch wrote:
On Tue, 3 Mar 2015 14:29, h...@guardianproject.info said:
It is actually more difficult to wrap GPGME in Java than to have just
rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad
Sorry, but that is not your problem. The
On Mar 3, 2015, at 7:31 PM, Robert J. Hansen wrote:
This is definitely public information from the Snowden leaks. There
is also quite a bit of information about other governments doing
similar things. Here's one example article:
If all encrypted traffic is deemed suspicious, then
Sent: Tuesday, March 03, 2015 3:55 PM
To: Peter Lebbing
Cc: gnupg
Subject: Re: Thoughts on GnuPG and automation
On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote:
In Android, you can't really have shared libraries. Apps share functionality
at a higher level (aka Activities and Services). So GnuPG
On Mar 3, 2015, at 5:01 PM, Robert J. Hansen wrote:
Hans, please trim your quoted material.
They would need to use a specialized system, and that specialized
system might then be a marker of suspicion (for example, lots of
governments, including the NSA, already mark all PGP messages as
On Mar 3, 2015, at 5:49 PM, Robert J. Hansen wrote:
Different programming languages and operating systems can have very
different ways of launching and handling external processes.
Eh. Different operating systems, sure: that's the nature of kernels.
They provide different syscalls, and
Hi Dan,
I dedicated an most of the blog post to answering that question (why it
breaks Mailpile), did you not read it or did I fail to communicate?
- Bjarni
On 28 Feb 2015 12:44, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson
On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson b...@pagekite.net
wrote:
I think you misunderstood my complaint. I don't mind if the agent is a
persistance daemon that provides GPG-related services, that's all well
and good. It's good process separation and I have no problem with
Hi Hans-Christoph!
Hans-Christoph Steiner h...@guardianproject.info wrote:
With all the recent attention to GnuPG and Werner's work, I have begun to
think about things differently. GnuPG has an amazing security track record.
It has had few serious security bugs, nothing even close to
Yes, but the colon protocol doesn't support things like passphrase entry, etc.
On Fri, Feb 27, 2015 at 9:09 AM, Peter Lebbing pe...@digitalbrains.com wrote:
On 27/02/15 12:02, Hans-Christoph Steiner wrote:
For example, I think that
`gpg --json` is great idea. I ended up using a Java wrapper
Bjarni Runar Einarsson wrote:
Hello GnuPG users!
I just published a follow-up to Smári's blog post about the Mailpile
team's frustration while working with GnuPG. The post is here:
https://www.mailpile.is/blog/2015-02-26_Revisiting_the_GnuPG_discussion.html
As it's rather long, I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 12:02 PM, Hans-Christoph Steiner wrote:
Bjarni Runar Einarsson wrote:
Hello GnuPG users!
..
With all the recent attention to GnuPG and Werner's work, I have
begun to think about things differently. GnuPG has an amazing
Hello GnuPG users!
I just published a follow-up to Smári's blog post about the Mailpile
team's frustration while working with GnuPG. The post is here:
https://www.mailpile.is/blog/2015-02-26_Revisiting_the_GnuPG_discussion.html
As it's rather long, I won't paste the whole thing in here, but
On Thu, 26 Feb 2015 15:57, b...@pagekite.net said:
As it's rather long, I won't paste the whole thing in here, but I do
Please give me a few days to comment on this. I have some urgent tasks
right now. But as a first hint: automation has never been second class
citizen and has been build into
Hey Werner,
Yes, please do take your time.
I'm happy to hear you consider automation an important thing. I assume
that means the current limitations on that front are largely due to a
lack of developer resources - which I don't intend to badger you about,
my project suffers from the same.
57 matches
Mail list logo