[PATCH GnuPG] agent: Enable restricted, browser, and ssh socket by default.

Justus Winter justus at g10code.com
Tue Sep 20 10:12:09 CEST 2016


Werner Koch <wk at gnupg.org> writes:
>> use the option to specify a different name.  I was carefull not to break
>> anyones setup.
>
> I have not see a way to disable this feature at all.  This be a hard
> requirement.  Actually this is not easy to do if you also want gpgconf
> be abale to modify it.  However, I would except the use of "/dev/null"
> as flag to disable the socket.

Ok.

>> I believe that ssh support and the restricted socket for
>> agent-forwarding are awesome features, please don't hide features in the
>
> Agreed.  Well, your change would not have helped you either.  Adding
> enable-ssh-socket to gpg-agent.conf is the smallest part of the stroy.
> The more complicated thing is the external setup and the new concept.

Sure it helps, it makes it easier to use and way easier to discover in
the first place.

>> people to create awesome tools on top of GnuPG.  Any such tool that
>> requires additional tweaks to the GnuPG configuration either has to
>> change the configuration itself or ask the user to do it.  The former is
>
> Yes, the tools should do that.  gpgconf provides an easy way to change
> the configuraions.  Tools are already chnaging gpg'c configuraion behind
> the back of the user.

Please clarify.  Do you consider automatic changes of the configuration
okay or not?

(Because here you write they should change the configuration, and in the
next paragraph you write they should stick to the default.)

>> frowned upon, and the latter is a huge usability problem.  Therefore,
>> tools using GnuPG are essentially restricted to the set of features that
>> is enabled by default.
>
> Yes, they should stick to that, for example to use the Pinentry by
> default.  If they want something else, they need to tweak things.

What if two tools need contradicting settings?

> Anyway, if you provide a new patch with a way for gpgconf to disable the
> new default and with shorter socket names (e.g. change
> "S.gpg-agent.restricted" to "S.gpg-agent.xtr" or ".extra"), it would be
> hard for me to reject such a patch.

I'm really unhappy with the name 'extra', because it carries little
meaning (we could as well call it 'second', or 'yetanother').
'restricted' on the other hand hints at why you might want to use this
over the standard socket.  Maybe 'remote'...


Cheers,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160920/4479fd26/attachment.sig>


More information about the Gnupg-devel mailing list