[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails

Subject: Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 19 Nov 2013 12:18:06 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 19 Nov 2013 07:18:11 -0500
In-reply-to: <047.a690d9d711ccf914bff19a3bdcc2491b@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.a690d9d711ccf914bff19a3bdcc2491b@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#5463: BridgeDB must GPG-sign outgoing mails
--------------------------+----------------------------
     Reporter:  rransom   |      Owner:  isis
         Type:  defect    |     Status:  assigned
     Priority:  major     |  Milestone:
    Component:  BridgeDB  |    Version:
   Resolution:            |   Keywords:  bridgegb-email
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+----------------------------
Changes (by isis):

 * status:  needs_information => assigned
 * keywords:  important => bridgegb-email
 * owner:   => isis
 * priority:  critical => major


Comment:

 I wrote several tests for the functionality of this, and I'll spare the
 details, but python-gpgme is a horrible, horrible monster and we should
 not be using it.

 Essentially, the TravisCI builds are failing right now (with TESTING gpg
 keys in place, and EMAIL_GPG_SIGN_KEY and enabled) simply because gpgme,
 when you do:
 {{{
 gpgme.Context().import_(open(cfg.EMAIL_GPG_SIGN_KEY))
 }}}
 doesn't import that key. Instead, it imports ''every key in the EUID's
 home directory''. For the continuous integration tests, this means that
 (because the `tor` package from the Debian repositories is installed as
 part of the CI build script) the `deb.torproject.org archive signing key`
 ends up as the first key, gpgme tries to sign a test email with it, and
 craps its pants.

 It is about 50 lines of code to iterate though the fingerprint of every
 uid of every key and find the one that matches the signing subkey...I
 don't trust this thing. I think it is buggy and poorly designed and way
 too many things are going to go wrong with it. Perhaps this is just me
 complaining because I spent a good three months last year writing a python
 gnupg module, but I would actually be worried to deploy using python-
 gpgme. I've not yet assessed how much work it would be to replace it.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5463#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #10190 [Tor Check]: Firefox extension ipFuck (also known as ipFlood) creates erroneous check.torproject fail screen
Next by Author: Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
Previous by thread: Re: [tor-bugs] #10190 [Tor Check]: Firefox extension ipFuck (also known as ipFlood) creates erroneous check.torproject fail screen with two ip addresses
Next by thread: Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
Index(es):
- Author
- Thread