Mutt/GnuPG doc initial release

Horacio homega@wanadoo.es
Tue Sep 25 01:29:01 2001 

On Mon, Sep 24, 2001 at 06:00:51PM -0400, Douglas Elznic wrote:

> On Mon, 2001-09-24 at 06:26, Horacio wrote:

> > Any pgp signature, be it pgp/mime or

> > ascii-armored|application/pgp, should not be included in

> > a post to a mailing list unless it is utterly important

> > to confirm the authory of the message.  Sadly, it is up

> > to individuals to learn good net manners and to decide.

> >=20

>=20

> I could not disagree more. First of all I feel that is

> important to sign all mails in order to establish a

> consitent M.O. of always using signatures. This has already

> been discussed here so I will not go into that more.

> However to the mailing list point directly I offer you the

> latest news from vuln-dev. A post was put on vuln-dev

> supposedly from Carolyn Meinel that was suuposed to be a

> root exploit or wuftpd. In actuality all it did was delete

> files off the users hard drive. A pgp signature or more

> accurately a lack there of would have prevented people from

> assuming the code was from carol and running it. Is it

> really such a bother to you to have a couple of extra lines

> of text?


Two examples:

- gnupg-users@gnupg.org mailing list.  If there was a
  horrible bug in gnupg, do you thing W. Koch will send the
  patch attached to his message along with the signature, or
  will he put the patch file and a detached signature file in
  the ftp server and give the pointer to the ftp location
  with the security announcement?

- [lists]@openbsd.org mailing lists.  They are for discussion
  of various topics related to the OS and implemented
  architectures, changes in source or ported software, for
  developers, for advocacy, announcements and security
  announcements.  The load is high in at least a few of them,
  and many used to send all their messages MIME/PGP signed.
  No matter how feeble the message was.  You know, there is
  some processing involved with checking for a key you most
  surely do not have.  And that happened with every MIME/PGP
  signed message you opened to read.  What=B4s the point?  To
  give the whole world assurance that Joe User on the Nth day
  of the X month of the MM year did ask where he could
  download an iso image?
  They applied this demime software for all lists except for
  the ports@ list, which indeed requires people to send their
  ported software to be tested.


Now, the mailing list for your example is ONE where it should
be allowed and encouraged, but that doesn=B4t extend to ALL
lists.  But if there is a real compelling reason to do so,
you can still do it by encoding if there is a demime filter.


--=20
Horacio