muelli / geysigning

An easier way to sign OpenPGP keys over the local network
GNU General Public License v3.0
9 stars 10 forks source link

merge with monkeysign #16

Open anarcat opened 9 years ago

anarcat commented 9 years ago

hi!

i am one of the main authors of monkeysign, and i am pleasantly surprised to learn about this project. Great idea! Local, keyserver-less keysigning is something that was floating in the air for a while...

i am making the ambitious task here of merging with monkeysign. i'm quite happy that the work wasn't completely duplicated in yet another keysigning software, but I believe the goals of this project totally overlap with what we're trying to do with monkeysign. in other words, feel free to start hacking directly what you need into monkeysign, as a branch maybe, and start modifying the UI directly.

i was thinking of completely redoing the GtkUI anyways. we worked on new mockups for the 3.x version here: http://monkeysign.readthedocs.org/en/latest/ui-mockups/index.html

so anyways, i see you have some monkeypatching in there, i just wanted to let you people know that we're totally open to new contributions directly into monkeysign, and our UI side needs a lot of work, and this seems to be where you're focusing your work. so let's collaborate!

cheers and good job!

muelli commented 9 years ago

Hi! sorry for not having replied earlier. Real-life is hitting me hard these days. Thanks for your initiative! Really Cool. I've sent a few patches to the mailinglist and have a few more sitting in my local repository. Is sending patches to the list the most appreciated way of doing things?

Are there plans to make the gpg library something pip-able?

The mockups are cool! You might need to switch to gobject-introspection in order to use newer Gtk versoin. zbar might be problematic wrt gobject-introspection. The scan_barcode module uses GStreamer, but it is -as the rest of the software here- not as mature as zbar (or monkeysign).

anarcat commented 9 years ago

Yes, on the mailing list or on the Debian bugtracker is fine.

There are no plans to publish the GPG library further. Writing that library was mistake: there are already 3 other PGP libraries out there, and writing a fourth one is a useless duplication of effort. Instead, some work will be put in porting the missing stuff into the python-gnupg library.

We have had trouble with zbar: we can't figure out how to get the exact frame where the qrcode was match, in order to highlight it, which works around certain kind of in-person attacks (such as an attacker standing behind the victime, showing a big qrcode that overrides the other one). Hopefully, gstreamer would help us fix that.

anarcat commented 8 years ago

Just a small update here to let you know that we now have a Gitlab project hosted on 0xACAB here:

https://0xacab.org/monkeysphere/monkeysign

Bug reports, issues and pull requests are now welcome there as well as on the more traditional mailing list if you prefer.

It would be great to see the improvements you have done on Monkeysign imported in our project. For example, I have opened an issue about improving the protocol for exchanging keys locally, using the local network for the actual key data:

https://0xacab.org/monkeysphere/monkeysign/issues/6

i have also opened an issue about using xdg-email:

https://0xacab.org/monkeysphere/monkeysign/issues/7

if there are other improvements from geysigning that you think are missing from Monkeysign, please do let me know! I'm especially curious to get a better idea of what exactly was fixed in monkeysign itself.

It seems, for example, that you have worked on better dealing with expired keys here: https://github.com/muelli/geysigning/commit/5d672f643b7399ce8ab34528ca3ec7a1b0eb5ffb

there was a discussion and ideas for fixing this in monkeysign in Debian #736548, where a patch is available.

then there's this bit about revoked keys: https://github.com/muelli/geysigning/commit/414d8c5706e3a35fec39c6a37e4a9cf62ed19cc3

it seems those latter patches were sent to the mailing list, and where I completely missed them (!) which is unfortunate! another, separate patchset was made here by Jerome there as well in Debian #723763 but that seems less complete than your approach.

all of those, AFAICT, lack unit tests.

are there other improvements I should be looking at?

just trying to make sense of all of this here. :) thanks!

muelli commented 7 years ago

Regarding the exact frame scanning the barcode: The gstreamer people were very helpful in providing that. The GNOME Keysign scanner widget uses that functionality. It should be easily consumable these days, i.e. you can add it to your Gtk container and it should just work. It's a bug if it doesn't. I'm thinking that it might be useful to other projects to have a barcode scanning widget based on GStreamer.

Other interesting things might include the gpgme based key-signer (https://github.com/muelli/geysigning/commit/b75c5b2004106641de87dd3b6730b451dd375adb) which is probably how one should do gpg things™.

Notice the new repository URL: https://github.com/gnome-keysign/gnome-keysign