Hi,
On Tue, Mar 15, 2016 at 08:38:50PM -0400, Antoine Beaupré wrote:
> By that standard, we should remove a *lot* of stuff from Debian.
yes, we probably should…
> And somehow, you propose we draw the line at... Keybase? Of all places,
> it seems like a weird detour to draw a line. I would totally ban
> Facebook and Google clients way before Keybase.
you have a point here.
(and my "argument" in favor is probably a weak one: lots of user demand
for those others…)
> Think of how much security you give up the second you fire up
> Chromium before you complain about issues in Keybase.
I haven't used Chromium since more than a year…
> Well, "encourages" is a big word. It asks you, and defaults to
> "yes". That is a small detail, that can be easily patched in Debian if
> we are so obstinate about it.
I actually like this idea, this detail, a lot.
> In other words, foot-shooting devices are plentiful in Debian. The
> alternative to Keybase, right now, is GPG, and is probably worse, by a
> few orders of magnitude, than keybase in terms of foot-shooting! I have
> seen people:
>
> * sign PGP keys after getting the fingerprints by email in the clear
> without no other form of authentication
> * lose revocation certificates
> * loose their private GPG (and therefore access to their data and
> previous communications)
> * mistakenly revoke their keys by double-clicking on them (oops)
> * mistakenly publish their private key material
point.
> All this with our so beloved GPG that we hold dear to our hearts. GPG is
> one of the worst usability nightmare in the history of crypto computing,
> yet we not only use it, but manage the whole Debian upload process and
> voting with it.
>
> So please, foot-shooting is not an argument against new software coming
> into Debian. From what I can see, it's almost a philosophy to make
> crypto software so cryptic no one can actually use them properly without
> reading a 20 page manual.
Sadly I have to agree here too :/
> > Which actually can be seen as an endorsement for packaging this.
>
> That, again, is quite a stretch. I have been very explicit in my blog
> and on Twitter that I do not endorse keybase. I don't understand why you
> misconstrue my intentions that way.
because that's what people always^woften do. (understand each other differently
than intended by the speaker…)
> I do not believe in Hell. :p
:-)
me neither, but I do use the figure of speech…
> > So I will speak up: please don't package this for Debian (as long as the
> > flaws are as they are now…), please close this RFP.
>
> I wasn't planning on packaging this for Debian, for the record. This is
> an RFP, not an ITP, and not assigned to anyone.
>
> I'm just the messenger.
I wasn't addressing you here, I should have probably made this more
clear.
Really thanks for your comments, they make a lot of sense to me! (Much
more than your blogpost alone.)
--
cheers,
Holger
