Bug#760102: gnome keyring & gpg agent
Stef Walter
stefw at gnome.org
Fri Jun 5 13:37:26 UTC 2015
On 05.06.2015 06:20, Daniel Kahn Gillmor wrote:
> Control: retitle 760102 gnome-keyring: please build with --disable-gpg-agent
> Control: block 760102 with 787786
>
> On Thu 2015-06-04 22:30:21 -0400, Neal H. Walfield wrote:
>> At Thu, 04 Jun 2015 22:14:25 -0400, Daniel Kahn Gillmor wrote:
>
>>>>>> - An update to Gnome-Keyring that disables it GPG Agent proxy.
>>>>>
>>>>> Maybe we need to offer them a patch. the goal here is just to disable
>>>>> gnome-keyring's gpg-agent proxy implementation by default, right?
>>>>
>>>> That's correct. It should be sufficient to configure gnome keyring
>>>> with --disable-gpg-agent (but I haven't tested this).
>>>
>>> that would make it so that users who wanted to use gnome-keyring as the
>>> gpg-agent (e.g. those who don't have smartcards, don't use gpgsm, and
>>> who otherwise ignore the concerns Werner has raised about
>>> gnome-keyring's incomplete gpg-agent support) would be unable to do so.
>>>
>>> It's a more invasive change than just disabling the functionality as per
>>> runtime defaults.
>>>
>>> Then again, that might keep us from dealing with a lot of extra bug
>>> reports :)
>>
>> I spoke with Stef (the maintainer of GNOME Keyring, cc'ed) and he
>> agrees that removing the proxy is the correct way forward.
>>
>> The only reason that the proxy exists is to cache passwords.
>> pinentry-gnome3 does exactly that in a cleaner way. In other words:
>> it makes the proxy completely redundant.
>>
>> A GSoC student is working on finishing the changes to GNOME Keyring
>> and pinentry-gnome3 (e.g., extending GCR to deal with all of GnuPG's
>> prompts). Nevertheless, the current pinentry version already more
>> complete than the proxy.
>
> Great, this sounds like a good assessment.
>
> I'm forwarding this info to https://bugs.debian.org/760102, which is
> already asking for some resolution of this situation.
>
> If gnome-keyring can Depend: pinentry-gnome3 (#787786), it should be
> able to build with --disable-gpg-agent.
>
> Thanks for your work on this, all the coordination.
Great work, Neal.
Confirming that I'll be ready to remove the code once the new pinentry
makes it into a release. Removing code always makes me smile :)
/me guesses there will be a few pieces to pick up. eg: figuring out how
to enable the new pinentry by default when running in GNOME. But it's
early in the GNOME 3.17 6 month release cycle and we can work that out
after removal of the agent.
Stef
More information about the pkg-gnome-maintainers
mailing list