System wide dirmngr configuration with Gnupg 2.1

Andre Heinecke aheinecke at intevation.de
Fri Jan 23 11:14:22 CET 2015


Hi,

On Thursday, January 22, 2015 02:23:11 PM Daniel Kahn Gillmor wrote:
> On Thu 2015-01-22 12:14:09 -0500, Andre Heinecke wrote:
> > I don't think it will be a problem with legacy systems as the dirmngr.conf
> > was located under /etc/dirmngr/dirmngr.conf in previous versions.
> 
> I generally don't like the idea that system configuration overrides user
> configuration; in principle, the other way around is usually preferable:
> 
>  * the system administrator sets the defaults
>  * the user can customize if they need to.
> 
> So this proposal seems backward to me.

Yes, I agree with you there. I don't want to force users to this configuration. 
Users that have a reason could still start a dirmngr with --homedir ~/.gnupg.

But maybe it really would be better to have dirmngr read the trusted-certs 
from the sysconfig dir and also from the homedir. 

Like:
If --homedir is not explicitly set: Read trusted-certs / config from sysconfig 
dir. Afterwards read trusted-certs / config from homedir and prefer the values 
from the homedir. This would be more similar to freedesktops config_dirs / 
config_home handling. 

I shied away from this as this would be more intrusive and not "GnuPG style" 
(well ok my proposal is neither). But imho this would be nice to have not only 
for dirmngr. As it and would give distributors / admins more options.

> I see the trouble you have, though, since dirmngr is being automatically
> launched.
> 
> What if you just set up the system-wide dirmngr daemon listening on a
> unix-domain socket like /run/gnupg/S.dirmngr, and then for users who
> want to use it, do:
> 
>  ln -s /run/gnupg/S.dirmngr ~/.gnupg/S.dirmngr
> 
> Would that solve your use case?

Not really.
 a) I'm not sure if werner plans to support the system-wide mode forever. And 
I would not like to stray away from debian packaging so far as to still keep 
dirmngr started centrally as a service.

 b) The default should be the system wide config (if it exists) as this is for 
the users that don't know what a dirmngr is. Those who know / care should be 
able to overrule it.


Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150123/e9314ada/attachment.sig>


More information about the Gnupg-devel mailing list