Mutt/GnuPG doc initial release

Horacio homega@wanadoo.es
Tue Sep 25 01:29:01 2001


On Mon, Sep 24, 2001 at 06:00:51PM -0400, Douglas Elznic wrote:

> On Mon, 2001-09-24 at 06:26, Horacio wrote:
> > Any pgp signature, be it pgp/mime or
> > ascii-armored|application/pgp, should not be included in
> > a post to a mailing list unless it is utterly important
> > to confirm the authory of the message. Sadly, it is up
> > to individuals to learn good net manners and to decide.
> >=20
>=20
> I could not disagree more. First of all I feel that is
> important to sign all mails in order to establish a
> consitent M.O. of always using signatures. This has already
> been discussed here so I will not go into that more.
> However to the mailing list point directly I offer you the
> latest news from vuln-dev. A post was put on vuln-dev
> supposedly from Carolyn Meinel that was suuposed to be a
> root exploit or wuftpd. In actuality all it did was delete
> files off the users hard drive. A pgp signature or more
> accurately a lack there of would have prevented people from
> assuming the code was from carol and running it. Is it
> really such a bother to you to have a couple of extra lines
> of text?
Two examples: - gnupg-users@gnupg.org mailing list. If there was a horrible bug in gnupg, do you thing W. Koch will send the patch attached to his message along with the signature, or will he put the patch file and a detached signature file in the ftp server and give the pointer to the ftp location with the security announcement? - [lists]@openbsd.org mailing lists. They are for discussion of various topics related to the OS and implemented architectures, changes in source or ported software, for developers, for advocacy, announcements and security announcements. The load is high in at least a few of them, and many used to send all their messages MIME/PGP signed. No matter how feeble the message was. You know, there is some processing involved with checking for a key you most surely do not have. And that happened with every MIME/PGP signed message you opened to read. What=B4s the point? To give the whole world assurance that Joe User on the Nth day of the X month of the MM year did ask where he could download an iso image? They applied this demime software for all lists except for the ports@ list, which indeed requires people to send their ported software to be tested. Now, the mailing list for your example is ONE where it should be allowed and encouraged, but that doesn=B4t extend to ALL lists. But if there is a real compelling reason to do so, you can still do it by encoding if there is a demime filter. --=20 Horacio