Re: Refactoring of mml1991.el, mml2015.el, mml-smime.el

[Greg Troxel <gdt@lexort.com>]

[-- Attachment #1: Type: text/plain, Size: 3469 bytes --]


Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:

[I have not yet absorbed your entire message and am commenting selectively.]

> * Passphrase caching
>
> If I’m not mistaken, with GnuPG 2.x (and gpgsm) passphrases cannot be
> cached within Emacs as gpg-agent is started automatically and tries to
> invoke a pinentry program.  So caching-related variables only apply to
> GnuPG 1.x and S/MIME with openssl (I suggest not to advertise the
> latter any longer, see separate point below).

I'm not sure that it is "cannot", as it seems that gpg2 should be
configurable not to use gpg-agent.  But, I can't find that in the docs,
and it seems clear that gpg-agent is the gnpug-recommended method.

Also, one can use gpg-agent with gnupg1 with the "use-agent" option.

> In fact, one of my test cases
> (mml-epg-en-decrypt-passphrase-no-cache-smime-todo)
> has an expected failure for gpgsm, as the cache is not inspected.
> Another test case (mml-epg-en-decrypt-passphrase-no-cache-openpgp-todo)
> is skipped for GnuPG 2.x.
> Is there a way to cache passphrases within Emacs, even with gpgsm and
> GnuPG 2.x?

Are you saying that you think it is a good idea to cache passphrases
within emacs, for general use, or to enable tests?

> Note that GnuPG 2.x is where the development happens, and according to
> GnuPG’s README, “2.0 is the current stable version for general use”,
> while “1.4 is the old standalone version which is most suitable for
> older or embedded platforms.”
> So, if we cannot cache for the current stable version, should we not
> recommend caching inside gpg-agent in general and get rid of the
> associated code?  Even if there was a way, should we not recommend
> caching inside gpg-agent in general?

I'm having a little trouble following "should we not".

So if you mean:

  within elisp code in gnus/epg/etc. we should remove the code that
  caches passphrases

  we should expect people to use gnupg's gpg-agent(1) program to deal
  with caching if they want to cache, including telling people to do
  that with gnupg1.

  we should realize that openssl-based mime will not have any caching in
  emacs or externally, but that's ok because that code is or will be
  deprecated soon

then that sounds good.    

> * Preference for openssl vs epg (gpgsm)
>
> Currently, Gnus prefers openssl over epg (gpgsm), via
> (defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl))
> in mml-smime.el.  However, epg does not get loaded on its own even if it
> is present.  Thus, users need to set mml-smime-use or require epg in
> their ~/.emacs, but the manual does not mention gpgsm at all.
> Where would be an appropriate place to (require 'epg)?
> I propose to change that preference in favor of epg (gpgsm) as:
> ** Gpgsm manages certificates (storage, expiry, revocation).
>    Users need to perform those tasks manually with openssl.
> ** Openssl has bugs as documented in the BUGS section of man smime(1).
>    In particular: SMIMECapabilities are ignored, no revocation checking
>    is done on the signer's certificate.
> ** Advertised SMIMECapabilities include broken encryption algorithms.
>    With the precompiled openssl 1.0.1f on my system RC2 is advertised,
>    which should have been dropped since S/MIME 3.x, see:
>    https://tools.ietf.org/html/rfc5751#appendix-B

Having tried to use both for S/MIME, I concur with recommending gpgsm.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 180 bytes --]