Andrew Gallagher andrewg at andrewg.com
Tue Mar 22 14:55:18 CET 2016

> On 22 Mar 2016, at 10:40, Paolo Bolzoni <paolo.bolzoni.brown at gmail.com> wrote:
> And besides, it's much easier to build a GUI app in front of a C API
> than a command line application.

This is undeniably true. Unfortunately you first need to learn the API, which can be a barrier to someone who knows the command line interface and just wants to hack together a script to do a particular job. 

Cryptography is hard, and decades later we still aren't at the point where average computer users can take advantage of it without either first becoming experts or punching holes in the sides of the boat. For that we need to be encouraging hackers and tinkerers to experiment with novel interfaces; and this is best done by giving them the software equivalent of Lego rather than Meccano. 

This is not a gpg-specific issue. OpenSSL suffers the same problem of having to be both a comprehensive implementation and a user interface, and handles it pretty much the same way, by using a basic command prompt. 

Where is the gpg equivalent of easy-rsa though? This is a complaint about software tools in general, but for hackers and tinkerers inconsistency across UIs is a significant barrier to entry. If I can't take what I've learned from using the command line for years and apply it (safely) to writing a modest shell script, I'm going to think long and hard before taking the time to learn a Python API. At the very least, any feature accessible through an interactive interface should have an equivalent command line option, so that all interactive operations can trivially be automated. Thought should also be given to whether wrapping all functionality in a single binary with thousands of options is the best interface to present to even expert command line users (again, OpenSSL is another offender). 

I say this because I found myself in exactly the same boat as the OP. I wanted to write a small script for my technically-proficient but non-cryptography-expert users so that they could easily manage gpg private keys without me worrying that they'd screw it up; and I ended up with a fragile interface very similar to his that needed to be completely refactored using gpgme. Just interfacing with gpg was the most difficult part of the process; the logic that I built on top of it was easy by comparison. This is the wrong way around.


More information about the Gnupg-users mailing list