gnome keyring & gpg agent

[Daniel Kahn Gillmor]

Control: retitle 760102 gnome-keyring: please build with --disable-gpg-agent
Control: block 760102 with 787786

On Thu 2015-06-04 22:30:21 -0400, Neal H. Walfield wrote:
> At Thu, 04 Jun 2015 22:14:25 -0400, Daniel Kahn Gillmor wrote:

>> >> >   - An update to Gnome-Keyring that disables it GPG Agent proxy.
>> >> 
>> >> Maybe we need to offer them a patch.  the goal here is just to disable
>> >> gnome-keyring's gpg-agent proxy implementation by default, right?
>> >
>> > That's correct.  It should be sufficient to configure gnome keyring
>> > with --disable-gpg-agent (but I haven't tested this).
>> 
>> that would make it so that users who wanted to use gnome-keyring as the
>> gpg-agent (e.g. those who don't have smartcards, don't use gpgsm, and
>> who otherwise ignore the concerns Werner has raised about
>> gnome-keyring's incomplete gpg-agent support) would be unable to do so.
>> 
>> It's a more invasive change than just disabling the functionality as per
>> runtime defaults.
>> 
>> Then again, that might keep us from dealing with a lot of extra bug
>> reports :)
>
> I spoke with Stef (the maintainer of GNOME Keyring, cc'ed) and he
> agrees that removing the proxy is the correct way forward.
>
> The only reason that the proxy exists is to cache passwords.
> pinentry-gnome3 does exactly that in a cleaner way.  In other words:
> it makes the proxy completely redundant.
>
> A GSoC student is working on finishing the changes to GNOME Keyring
> and pinentry-gnome3 (e.g., extending GCR to deal with all of GnuPG's
> prompts).  Nevertheless, the current pinentry version already more
> complete than the proxy.

Great, this sounds like a good assessment.

I'm forwarding this info to https://bugs.debian.org/760102, which is
already asking for some resolution of this situation.

If gnome-keyring can Depend: pinentry-gnome3 (#787786), it should be
able to build with --disable-gpg-agent.

Thanks for your work on this, all the coordination.

Regards,

        --dkg