[PATCH] dirmngr: implement --supervised command (for systemd, etc)

Werner Koch wk at gnupg.org
Mon Aug 29 12:14:57 CEST 2016 

On Fri, 12 Aug 2016 22:07, dkg at fifthhorseman.net said:

> I see this advice is in doc/tools.texi, but i don't see it used often.
> 'S.log' for GnuPG doesn't show up anywhere else in debian, for example:

I added remarks to the man page and also implement

log-file socket://

to print to a socket named S.log in GnuPG socket directory.

>> How do you convey the envvars to gpg-agent?  What systemd does is
>> different from what gpg will do; for example the default tty, DISPLAY,
>> and locale may be different.  gpg will also pass --homedir to the
>> invocation of gpg-agent if gpg has been started this way.
>
> gpg conveys envvars to gpg-agent during its use.  This is what allows us
> to run a single daemon that responds to requests from multiple
> concurrent sessions, right?

For the use with screen(1) gpg-agent allows to fix some environment
variables to those used at startup (keep-tty and keep-display).

> projects. :) Even aside from the system service, there's still a lot of
> Win32-specific code, though.  This is not meant as a critique -- i think

Removed with the last released.  Thanks for the reminder.

>> For dirmngr this is not a good idea because we plan to add background
>> tasks (parcimonie).
>
> I'd be a little surprised if most people expected a parcimonie-style
> updater to run (and update their keyring, etc) when they weren't

Others already reponded to this.

> problem).  It would still leave sessions open in the background for
> several minutes after logout in some common use cases, but it would be
> far better than having live code running indefinitely.

I guess that most users don't log out but hibernate their session.

> I'm assuming this would be a new configuration option for gpg-agent.
> Maybe --terminate-after-idle ?  What should it default to?  I can send

I do not think that it is important enough to rush this in.  Let's track
it as issue2450.

> System-wide overviews and standardized tooling ("do one thing and do it
> well") aren't unix-like‽ We should probably change that ;) But

Yes, it is similar to unix in the same way VMS POSIX subsystem is
similar to Unix.  But let's not get into this again.  I can't fight
windmills.

> In particular, the ssh-agent model assumes one agent *per X11 session*,
> and gpg-agent assumes one agent *per user*.  If the agent's

The ssh-agent has no such assumption; you can run several ssh agents on
your X11 server and session.  it is jut a matter on how the distro
starts ssh-agent.  GnuPG changed with --enable-standard-socket in 2.0
and made that the only option in 2.1.

> However we solve those problems, having process supervision and socket
> activation still seem like good things, so i'd still like these patches
> to be considered by upstream GnuPG.  I don't think they break any

I will look at them in detail soon.  I would however like a more
generalized approach using options like --listing-socket-foo and nothing
systemd specific.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160829/48b561a2/attachment.sig>

More information about the Gnupg-devel mailing list