From marcus.brinkmann at ruhr-uni-bochum.de Tue Jun 1 15:06:58 2010 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: 1 Jun 2010 15:06:58 +0200 Subject: Copy-paste in pinentry-qt4 In-Reply-To: References: <201001082153.11060.kp2010@koospol.nl> Message-ID: <4C0505F2.4010700@ruhr-uni-bochum.de> On 05/24/2010 02:12 AM, Georgios Dimitropoulos wrote: > I see this behaviour in many programs that do no accept copy/paste passwords and > they really piss me off, because they play "daddy" with the user. There can only be one default, but security considerations are different from environment to environment. I can understand that the default pinentry settings are not optimal for your security requirements. However, we will never get to a state where the same defaults are appropriate for everyone. GNU/Linux distributions usually handle the integration issues to give a seamless user experience for a specific target user group, you should take the issue of the right default up with your preferred distribution. Moving away from the default discussion, there are several things I want to point out to you which may address your issues at different levels: * Pinentry always supported the option "--no-grab" to prevent grabbing the keyboard and screen for more compatibility. * There are several implementations of pinentry, which offer different integration strategies (Curses, Gtk 1, Gtk 2, Qt 3, Qt 4). * The pinentry protocol is specified and easy to reimplement. The pinentry package contains a self-contained implementation of everything necessary to build your own pinentry that integrates with your preferred environment. As an example, we have found that the existing pinentry-qt4 with its custom secure text entry widget does not work on the Maemo platform, so we made a custom pinentry-qt that uses the standard QLineEdit widget, which integrates better into the customised Maemo environment. A good programmer can do this in a couple of hours even if he had no previous experience with pinentry, qt, or maemo. There is nothing stopping distributions from doing the same integration work, if there is demand for it. > Other than that, I was greatly annoyed as well, that I had to install seahorse, > which in turn installed pinentry, to figure out why gpa 0.8.0 was giving me > "general error" from library gpgme, since in fedora 12, somebody forgot to put > pinentry as a resolved dependency for installing gpa. The popular distributions have not yet made the transition to a completely functional GnuPG 2 architecture yet. There are various reasons for that, but the default settings of pinentry should not be any concern in this matter. > All these little loose ends, kind of sloppiness, in the whole "story" does not > exactly help me trust crypto as a business plan. Usability of cryptography does not seem to be a major focus of popular GNU/Linux distribution. For example, the enigmail plugin for thunderbird in the beta version of Ubuntu 10.04 was broken for several weeks just prior to the release (it was then fixed shortly before the official release). That's just how it is, and to change it you'll have to invest time or money or both. With free software, you get the good and the bad, with full transparency, and an invitation for participation to make it even better. What you don't necessarily get with free software is a hand-tailored package to support your specific business plan. That's what development and support contracts are for. Thanks, Marcus