| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jan 2024 18:28:18 -0500
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-scsi
<linux-scsi@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] first round of SCSI updates for the 6.7+ merge window
On Thu, 2024-01-11 at 14:47 -0800, Linus Torvalds wrote:
> On Thu, 11 Jan 2024 at 14:36, Linus Torvalds
> <torvalds@...ux-foundation.org> wrote:
> >
> > Stop making a bad pgp experience even worse - for no reason and
> > absolutely zero upside.
>
> Side note: even getting gpg to show the subkeys was just an exercise
> in frustration.
>
> For example, I'd expect that when you do
>
> gpg --list-key E76040DB76CA3D176708F9AAE742C94CEE98AC85
>
> it would show the details of that key. No, it does not. It doesn't
> even *mention* that key.
You installed the special "make it even harder to use" version didn't
you? Because for me (gpg 2.4.3) it gives
jejb@...grow:~> gpg --list-key E76040DB76CA3D176708F9AAE742C94CEE98AC85
pub rsa2048 2011-09-23 [SC] [expires: 2026-03-11]
D5606E73C8B46271BEAD9ADF814AE47C214854D6
uid [ultimate] James Bottomley
<James.Bottomley@...senPartnership.com>
uid [ultimate] James Bottomley <jejb@...ux.vnet.ibm.com>
uid [ultimate] James Bottomley <jejb@...nel.org>
uid [ultimate] [jpeg image of size 5254]
uid [ultimate] James Bottomley <jejb@...ux.ibm.com>
uid [ultimate] James Bottomley <jejb@...senpartnership.com>
sub nistp256 2018-01-23 [S] [expires: 2024-01-16]
sub nistp256 2018-01-23 [E] [expires: 2024-01-16]
sub nistp256 2023-07-20 [A] [expires: 2024-01-16]
Which shows all the subkeys and their expiration dates. I admit it
doesn't show the fingerprints and you have to know you've requested a
subkey and it's showing the master record.
> Because this is gpg, and the project motto was probably "pgp was
> designed to be hard to use, and by golly, we'll take that to 11".
>
> And no, adding "-vv" to get more verbose output doesn't help. That
> just makes gpg show more *other* keys.
>
> Now, obviously, in order to actually show the key I *asked* gpg to
> list, I also have to use the "--with-subkey-fingerprint". OBVIOUSLY.
>
> I can hear everybody go all Homer on me and say "Well, duh, dummy".
>
> So yes, I realize that my frustration with pgp is because I'm just
> too stupid to understand how wonderful the UX really is, but my point
> is that you're really making it worse by using pointless features
> that actively makes it all so much less usable than it already is.
OK, OK, I can do longer expiration dates.
> Subkeys and expiration date make a bad experience worse.
I can't really fix the subkeys bit. The reason I have a signing subkey
is because on my laptop it's TPM resident but with the authorization
password in gnome-keyring, so I unlock it on login (and so, for me, it
just works for all the day to day signing operations). My master key
is also TPM resident but with a different password that doesn't unlock
on login to try to keep it more secure and because I only need to use
it when extending expiration dates or signing someone else's key.
> Yes, I blame myself for thinking pgp was a good model for tag
> signing. What can I say? I didn't expect people to actively try to
> use every bad feature.
Heh, well to paraphrase Churchill: gpg is the worst key management
system ... except for all the other key management systems out there
..
James
Powered by blists - more mailing lists