lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHk-=wi6PenRqDCuumMK_5+_gU+JdUqrBEDS-XwFiaNdVRZAHA@mail.gmail.com>
Date: Thu, 11 Jan 2024 15:50:32 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: James Bottomley <James.Bottomley@...senpartnership.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-scsi <linux-scsi@...r.kernel.org>, 
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] first round of SCSI updates for the 6.7+ merge window

On Thu, 11 Jan 2024 at 15:28, James Bottomley
<James.Bottomley@...senpartnership.com> wrote:
>
> You installed the special "make it even harder to use" version didn't
> you?

We call that the standard version. Because "harder to use" comes with
the base package.

You have the same one:

> Because for me (gpg 2.4.3) it gives
>
> jejb@...grow:~> gpg --list-key E76040DB76CA3D176708F9AAE742C94CEE98AC85
> pub   rsa2048 2011-09-23 [SC] [expires: 2026-03-11]
>       D5606E73C8B46271BEAD9ADF814AE47C214854D6
> uid           [ultimate] James Bottomley
> <James.Bottomley@...senPartnership.com>
> uid           [ultimate] James Bottomley <jejb@...ux.vnet.ibm.com>
> uid           [ultimate] James Bottomley <jejb@...nel.org>
> uid           [ultimate] [jpeg image of size 5254]
> uid           [ultimate] James Bottomley <jejb@...ux.ibm.com>
> uid           [ultimate] James Bottomley <jejb@...senpartnership.com>
> sub   nistp256 2018-01-23 [S] [expires: 2024-01-16]
> sub   nistp256 2018-01-23 [E] [expires: 2024-01-16]
> sub   nistp256 2023-07-20 [A] [expires: 2024-01-16]

Look closer.

NOWHERE there does it mention E76040D.. Nowhere.

Really.

Yeah, it says that a key that I didn't even ask for has subkeys.  It
doesn't say what those subkeys are, nor does it say which one matches
the one I actually asked for.

Yes, you clearly have Stockholm syndrome and think that this is all
normal and exactly what you would expect to see.

I happen to think it's unbelievable garbage, and I think subkeys are
something that makes gpg even harder to use than it would otherwise
be.

Here's a clue: if I ask "ls" to show a file, do you think it would be
ok if "ls" instead said "here's the directory the file is in, and here
are the dates of all the files inside that directory"?

Or would you say that such a program is crap? Honestly now...

And the above is actually being *generous* to gpg. The reality is even
worse. Try this:

   gpg --list-key 37AAA9562C5CBD0C

and notice how it doesn't even list the subkey I asked about. Not even
with '--with-subkey-fingerprint'.

And no, I'm not just making up particularly bad examples. This is the
reality I deal with all the time when people use expiration dates on
their keys.

The above "show my the key" is *literally* the key you used a decade ago:

    git show --oneline --show-signature 233ba2c5ffcf

and this is (one of millions) reason why I despise gpg and subkeys in
particular. That key was valid at the time, and as far as I know
there's no way for git to say "was it expired at the time", so now all
those signatures flag as invalid.

Plus the "--list-key" thing NOT EVEN SHOWING THE KEY I ASKED FOR.

Christ.

Ok, I'm over it now. I just wanted to rant about my least favourite
program ever, and how you trigger all the worst parts of it.

           Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ