gnome keyring & gpg agent
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jun 5 06:20:07 CEST 2015
Control: retitle 760102 gnome-keyring: please build with --disable-gpg-agent
Control: block 760102 with 787786
On Thu 2015-06-04 22:30:21 -0400, Neal H. Walfield wrote:
> At Thu, 04 Jun 2015 22:14:25 -0400, Daniel Kahn Gillmor wrote:
>> >> > - An update to Gnome-Keyring that disables it GPG Agent proxy.
>> >>
>> >> Maybe we need to offer them a patch. the goal here is just to disable
>> >> gnome-keyring's gpg-agent proxy implementation by default, right?
>> >
>> > That's correct. It should be sufficient to configure gnome keyring
>> > with --disable-gpg-agent (but I haven't tested this).
>>
>> that would make it so that users who wanted to use gnome-keyring as the
>> gpg-agent (e.g. those who don't have smartcards, don't use gpgsm, and
>> who otherwise ignore the concerns Werner has raised about
>> gnome-keyring's incomplete gpg-agent support) would be unable to do so.
>>
>> It's a more invasive change than just disabling the functionality as per
>> runtime defaults.
>>
>> Then again, that might keep us from dealing with a lot of extra bug
>> reports :)
>
> I spoke with Stef (the maintainer of GNOME Keyring, cc'ed) and he
> agrees that removing the proxy is the correct way forward.
>
> The only reason that the proxy exists is to cache passwords.
> pinentry-gnome3 does exactly that in a cleaner way. In other words:
> it makes the proxy completely redundant.
>
> A GSoC student is working on finishing the changes to GNOME Keyring
> and pinentry-gnome3 (e.g., extending GCR to deal with all of GnuPG's
> prompts). Nevertheless, the current pinentry version already more
> complete than the proxy.
Great, this sounds like a good assessment.
I'm forwarding this info to https://bugs.debian.org/760102, which is
already asking for some resolution of this situation.
If gnome-keyring can Depend: pinentry-gnome3 (#787786), it should be
able to build with --disable-gpg-agent.
Thanks for your work on this, all the coordination.
Regards,
--dkg
More information about the Gnupg-devel
mailing list