[Pkg-privacy-maintainers] Taking over Monkeysphere

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Aug 14 21:31:16 BST 2023 

Hi John--

On Mon 2023-08-14 11:52:46 -0400, Antoine Beaupré wrote:
> On 2023-08-12 09:05:10, John Scott wrote:
>> I'd like to take over Monkeysphere upstream and downstream. Could you grant me access to the Salsa repo?
>>
>> I have a vision for it that is a little different from what it is now, so I think adding in a NEWS file saying "speak up now if you want this particular functionality" is the way to go in the near-term, and in the long term the package contents will change radically. This is better than simple removal of the package.

Thanks for your interest in the monkeysphere!

I'd love to hear more about what you want the monkeysphere project to
become, particularly the "change radically" part.  I share some (but not
all) of anarcat's sentiments here:

> I am not sure. I do think the best approach is to remove Monkeysphere
> from Debian, actually. The code is basically dead and mostly non-working
> for most purposes. The web-of-trust is dead as well, which is partly
> what Monkeysphere assumed would exist to make sense of things.

I do think that given the current state of monkeysphere, we should
remove it from debian, salvaging what people actually use (e.g. i use
agent-transfer myself, but that doesn't need to be part of the
monkeysphere package at all).

I do *not* think that the web-of-trust is necessarily dead, but i also
think it needs a lot more clear thought than it has been given in the
past, to the extent where i even doubt the name "web of trust" (i've
been known to call it a "network of identity certifications" which isn't
nearly as catchy, but is closer to the truth).

> Furthermore, the code was a good first prototype, but I think it should
> be discarded, not worked on directly.

I agree that the code would probably be better re-written with a
sensible OpenPGP interface, rather than monkeysphere's bash hackery
around GnuPG's idiosyncrasies.

> I think a best use of your efforts would be inside the Sequoia project,
> personnally. We should have retired Monkeysphere properly, but alas that
> did not happen...

We definitely should have, and i consider it to be on me that that
didn't happen.  Sorry about that.  But if someone wants to develop the
naame "monkeysphere" into a similar concept with actually working code,
i don't object to that kind of a reincarnation.

I've uploaded the git history of the project to
https://0xacab.org/monkeysphere/monkeysphere (it's mostly identical to
what was on salsa) and i welcome John to work on it if he feels so
inclined.  I'm following up over on
https://lists.riseup.net/www/info/monkeysphere for more discussion about
the project.

I think you'll find that some of the developers who contributed to
monkeysphere in the past will be interested in your plans, whether or
not they end up involving the monkeysphere name itself.

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20230814/06164d12/attachment.sig>

More information about the Pkg-privacy-maintainers mailing list