From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: Wherein I argue for the inclusion of libnettle in Emacs 24.5
Date: Wed, 05 Feb 2014 08:41:31 -0500 [thread overview]
Message-ID: <87txcdd6d0.fsf@lifelogs.com> (raw)
In-Reply-To: 874n4e3rkm.fsf@uwakimon.sk.tsukuba.ac.jp
On Wed, 05 Feb 2014 17:13:29 +0900 "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
On Wed, 05 Feb 2014 17:19:13 +0900 Daiki Ueno <ueno@gnu.org> wrote:
SJT> Ted Zlatanov writes:
>> Right. Shelling out
SJT> Fine point: no need for a shell, and it's almost certainly preferable
SJT> not use a shell.
>> to an external binary every time you want to verify a package's
>> signature or want to encrypt/decrypt/sign data makes perfect sense.
SJT> Obviously not perfect, since at least one person in the world doesn't
SJT> get it. Nevertheless, the GPG developers apparently think it does
SJT> make good sense, since they've made a point of making it difficult to
SJT> do otherwise.
DU> At least it works at acceptable performance now.
It's not acceptable to me, but then again I'm not a crypto/security-expert.
>> Blindly entering your passphrase in an anonymous popup that says
>> it's from the GnuPG agent is how things are done.
SJT> Not relevant in the sense that it could be done with an anonymous
SJT> popup that says it's from Emacs, too.
The minibuffer is much harder to fake than a popup. Furthermore, you
don't know *which* passphrase is being requested, so at the very least
it can be annoying. Oh, I know, we'll add --with-pinentry-title and
--with-pinentry-message flags. Christ.
DU> This could be fixed. Sounds definitely easier than importing plenty of
DU> crypto primitives from a C library.
It doesn't have to be an exclusive choice, and I'm not asking anyone to
do the work on either side.
>> Trusting loosely coupled components is standard industry practice.
SJT> Trust and coupling are not in any particular relationship. Viz. the
SJT> fundamental design of Qmail and Postfix, which are two MTAs designed
SJT> by acknowledged security experts.
qmail and Postfix are system applications that run as daemons.
Completely different from Emacs. Emacs is more like Firefox or Chrome
with their embedded Javascript engines and layout renderers, as Lars
pointed out. Those applications tend to use the platform's keychain
facilities and do the crypto work internally.
DU> Didn't I post a link to the idea of this loose coupling? It is mainly
DU> for security reasons. For example, there's usually a limit of secure
DU> memory and it makes sense to do all the secret key operation in a
DU> minimal core (gpg-agent) to utilize it.
DU> I don't think you can provide the same level of security using
DU> encryption primitives within Emacs.
Not currently, sure. But at this point you're the one arguing
hypotheticals.
>> Forcing users to do all of that, or "no encryption for you" is for
>> their own good, on every platform where Emacs runs, from Android to
>> W32 to Mac OS X to many flavors of Unix. Users are just too stupid
>> to decide these things on their own.
SJT> Stupid, no, but there's a lot of evidence that they are ignorant
SJT> (including many developers incorporating security features in their
SJT> products), and that even experienced experts are oversight- and even
SJT> mistake-prone in this area. Do you claim that that evidence is no
SJT> longer relevant?
I don't think you can justify taking away the freedom to choose because
it might be misused.
DU> I don't get it. Are there any platforms where Emacs work, while GPG
DU> does not?
Please don't turn my point into a debate about why can't I "just use
GnuPG." I'm asking to have a choice. It doesn't mean I don't
understand what EPA/EPG and GnuPG offer, or that I don't like them, or
that I don't use them.
>> Is that how experts with a crypto/security background do it?
SJT> Some of them (the GPG developers) do, for sure.
DU> Better than letting you write encryption code for me.
I plan to write integration code mostly, which is not as risky. But you
make a good point: *you're* the only one writing such code for Emacs
users. Could you be biased in favor of your own code?
DU> Case study (sorry Jose):
DU> https://lists.gnu.org/archive/html/bug-recutils/2012-04/msg00001.html
DU> I can easily imagine you will make similar (or more serious) mistakes
DU> here and there, once crypto primitives are available.
If only there were experts among us and I would allow my code to be
reviewed!
Ted
next prev parent reply other threads:[~2014-02-05 13:41 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-03 22:36 Wherein I argue for the inclusion of libnettle in Emacs 24.5 Lars Ingebrigtsen
2014-02-04 3:21 ` Stefan Monnier
2014-02-04 13:07 ` Ted Zlatanov
2014-02-04 14:44 ` Stephen J. Turnbull
2014-02-04 18:36 ` Ted Zlatanov
2014-02-04 22:44 ` Lars Ingebrigtsen
2014-02-05 2:28 ` Stefan Monnier
2014-02-05 2:39 ` Lars Ingebrigtsen
2014-02-05 7:00 ` Ted Zlatanov
2014-02-05 8:13 ` Stephen J. Turnbull
2014-02-05 13:41 ` Ted Zlatanov [this message]
2014-02-05 15:50 ` andres.ramirez
2014-02-05 17:00 ` chad
2014-02-05 18:55 ` Ted Zlatanov
2014-02-06 5:03 ` Stephen J. Turnbull
2014-02-06 11:49 ` Ted Zlatanov
2014-02-06 13:03 ` Stefan Monnier
2014-02-06 14:28 ` Ted Zlatanov
2014-02-06 15:05 ` Stephen J. Turnbull
2014-02-06 15:54 ` Ted Zlatanov
2014-02-07 2:06 ` Stephen J. Turnbull
2014-02-07 6:51 ` David Kastrup
2014-02-07 7:15 ` Stephen J. Turnbull
2014-02-07 8:53 ` David Kastrup
2014-02-07 10:00 ` Stephen J. Turnbull
2014-02-07 10:49 ` David Kastrup
2014-02-07 20:43 ` Stephen J. Turnbull
2014-02-07 21:42 ` Ted Zlatanov
2014-02-07 22:23 ` Stephen J. Turnbull
2014-02-07 15:30 ` Ted Zlatanov
2014-02-07 9:07 ` Daiki Ueno
2014-02-07 11:54 ` Ted Zlatanov
2014-02-08 8:11 ` Daiki Ueno
2014-02-08 16:59 ` Ted Zlatanov
2014-02-05 8:19 ` Daiki Ueno
2014-02-04 13:10 ` Ted Zlatanov
2014-02-04 16:27 ` Paul Eggert
2014-02-04 18:32 ` Ted Zlatanov
2014-02-04 19:04 ` Paul Eggert
2014-02-04 20:11 ` Ted Zlatanov
2014-02-04 21:46 ` Paul Eggert
2014-02-04 22:44 ` Ted Zlatanov
2014-02-04 22:36 ` Lars Ingebrigtsen
2014-02-05 5:11 ` Daiki Ueno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87txcdd6d0.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).