Mutt/GnuPG doc initial release
Horacio
homega@wanadoo.es
Tue Sep 25 01:29:01 2001
On Mon, Sep 24, 2001 at 06:00:51PM -0400, Douglas Elznic wrote:
> On Mon, 2001-09-24 at 06:26, Horacio wrote:
> > Any pgp signature, be it pgp/mime or
> > ascii-armored|application/pgp, should not be included in
> > a post to a mailing list unless it is utterly important
> > to confirm the authory of the message. Sadly, it is up
> > to individuals to learn good net manners and to decide.
> >=20
>=20
> I could not disagree more. First of all I feel that is
> important to sign all mails in order to establish a
> consitent M.O. of always using signatures. This has already
> been discussed here so I will not go into that more.
> However to the mailing list point directly I offer you the
> latest news from vuln-dev. A post was put on vuln-dev
> supposedly from Carolyn Meinel that was suuposed to be a
> root exploit or wuftpd. In actuality all it did was delete
> files off the users hard drive. A pgp signature or more
> accurately a lack there of would have prevented people from
> assuming the code was from carol and running it. Is it
> really such a bother to you to have a couple of extra lines
> of text?
Two examples:
- gnupg-users@gnupg.org mailing list. If there was a
horrible bug in gnupg, do you thing W. Koch will send the
patch attached to his message along with the signature, or
will he put the patch file and a detached signature file in
the ftp server and give the pointer to the ftp location
with the security announcement?
- [lists]@openbsd.org mailing lists. They are for discussion
of various topics related to the OS and implemented
architectures, changes in source or ported software, for
developers, for advocacy, announcements and security
announcements. The load is high in at least a few of them,
and many used to send all their messages MIME/PGP signed.
No matter how feeble the message was. You know, there is
some processing involved with checking for a key you most
surely do not have. And that happened with every MIME/PGP
signed message you opened to read. What=B4s the point? To
give the whole world assurance that Joe User on the Nth day
of the X month of the MM year did ask where he could
download an iso image?
They applied this demime software for all lists except for
the ports@ list, which indeed requires people to send their
ported software to be tested.
Now, the mailing list for your example is ONE where it should
be allowed and encouraged, but that doesn=B4t extend to ALL
lists. But if there is a real compelling reason to do so,
you can still do it by encoding if there is a demime filter.
--=20
Horacio