Talk:GNU Privacy Guard

Latest comment: 8 months ago by 43.224.36.205 in topic application support for GPG

Old Discussion

edit

Matt, I puzzled over that wording and was not happy with what I ended up with. You've solved exactly the problem I had with it, and within minutes too. Thanks. ww 14:58, 1 Jun 2004 (UTC)

Glad I could help! It's got me thinking, though: does anyone proactively audit GnuPG, like is done in OpenBSD? — Matt 15:27, 1 Jun 2004 (UTC)
If you mean the software itself, yes, why not? The GNU project is the place where the heart of open source develompent beats. Cbguder 17:09, Jun 2, 2004 (UTC)
I think it was "crypto auditing" Matt meant here, and I don't know. Clearly there is some 'lots of eyeballs means all bugs are shallow' stuff, as Nuygen's observation is an example thereof, and Cbguder probably had one or more apects of that in mind here, but formal auditing... ?? Sorry not to have known. This goes on my things to checklist, I suppose. ww 13:58, 3 Jun 2004 (UTC)
Well, what's formal in the free software scene anyway? =) Btw, ww, thanks for moving the logo, it looks much better now. =) Cbguder 15:03, Jun 3, 2004 (UTC)
I'd take the credit, but I suspect Matt would object. It was his fault! As for formal, I meant here planned, intentional, regular, deliberate, explicit as opposed to catch as catch can, when/if someone notices, etc. Like that. ww 18:02, 3 Jun 2004 (UTC)
I see, here's the case: it's not that loose so that the whole project depends on coincidences, but there are no guarantees either. There are people devoted to every project, and of course these projects have leaders and sometimes even schedules. They don't stumble by bugs, they search for them, but still no guarantees... =) Cbguder 19:57, Jun 3, 2004 (UTC)
As of 2007, There has been at least one person (Felix von Leitner) interested in doing an OpenBSD-style secure code audit. He even provided a diff. From http://seclists.org/fulldisclosure/2007/Jan/0267.html :

I did a gnupg audit recently. I was, frankly, appalled by the code quality. It is a desert of pointer manipulation, string copying, memcpy and strcpy are used all over the place, and sprintf, too.

165.91.215.88 17:11, 12 October 2007 (UTC)Reply
Felix did find a few minor bugs, but a lot of his claims were totally incorrect and based on misunderstanding how gpg works (for example, he claimed guessing the pid, time and some uninitialized stack data was enough for an attack (it isn't)). I've audited gpg occasionally, but nothing formal, eg [1], [2], [3], and a few others. If someone wanted to set up a formal audit, I'd get involved. Unlike Felix, I quite like the gpg codebase. -- taviso 20:38, 14 October 2007 (UTC)Reply

added 'how to use' section

edit

I hope it's OK that I've added a new section with only an outline of the desired content.

I've found the GnuPG documentation to be difficult to understand, since they are so expansive and seem to be designed for experts who will read the document from start to finish. What I need -- and what I think others need, hence my addition of a skeletal section to this fine webpage -- is a simple few-step guide.

If (or when) I figure out how to do these simple things, I'll add something here. Well, that's assuming that my change doesn't get reverted by folks who know better what should be here.

I actually know how to do some of the steps, but the exporting step isn't working well. It seems that I have to edit a file in ~/.gnupg, which is OK except that I don't know the syntax to use for, say, the MIT keyserver, which is the one I normally favour for web-based work.

--Dankelley 17:32, 27 Nov 2004 (UTC)

It sounds like a great idea, but this article isn't really the place for it. It would work well on Wikibooks, though. — Matt 18:20, 27 Nov 2004 (UTC)
Thanks. It seems you're the authority, so please go ahead and delete/revert my added section. Thanks for getting back to me, and thanks for your work on this page. --Dankelley 00:24, 28 Nov 2004 (UTC)
Thanks (although I've only contributed a small amount to this article!) I should really also point out that nobody on Wikipedia has any more rights or say-so over a page than anyone else...in a sense, everyone is the "authority" — but the aim is to produce encyclopedia articles, and "tutorial"-type content doesn't really fit on Wikipedia. Of course, you'd be very welcome if you wanted to help expand the description of how GnuPG works (it could do with some work), but the slant is towards describing the system, rather than teaching people how to use the software. — Matt 00:45, 28 Nov 2004 (UTC)
Dankelley, you might want to start something in Wikibooks as Matt suggested, I am willing to help too. We can look at Wikibooks:Cryptography or Wikibooks:Cryptography:Digital_signatures to find where to put this "GnuPG (Howto)" book, and start! In fact, I even thought I should one day or another put my Enigmail tutorial in wikibooks too ;-) -- ClementSeveillac 04:00, 28 Nov 2004 (UTC)

POV

edit

The new additions to the second paragraph under "Problems" seem a little too POV Suggestions? Turnstep 14:45, September 8, 2005 (UTC)

I've edited a little, primarily removing bits that (I felt) wasn't necessary. For stuff like this, I think it's easiest to stick to simple statements of facts, and not try and provide commentary or analysis. — Matt Crypto 16:39, 8 September 2005 (UTC)Reply

I have changed the paragraph on GPGME, due to factual errors: gpg and gpgme do communicate through a stable interface designed for machine use (ala GDB annotated machine interface). An API does not need to be a function call. Described an advantage of using a co-processes. -Werner

Image

edit

I added an image that shows the general form of an encrypted file using the PGP protocol. I hope nobody minds; I personally feel that it's a useful addition. Midwinter 01:28, 23 January 2006 (UTC)Reply

links pointing to the same article

edit

While it's true that parsimony suggests conflation of the links, I reverted it for two reaosns. First, the links may not always point ot hte same thing as WP changes and morphs. And, second, there are two distinct entities being pointed at here, even if they are currently pointing to the same thing. One's a standard, one's a software product. Infact, I think the problem is that there should be two articles. ww 20:21, 4 June 2006 (UTC)Reply

I agree that there should be two articles. — Matt Crypto 22:31, 4 June 2006 (UTC)Reply

Enigmail a compromise?

edit

I don't understand why Enigmail should compromise GPG's security (even hypothetically). Did Evolution and KMail's developers consult the GPG team? Jancikotuc 19:38, 24 February 2007 (UTC)Reply

A long time ago I worked with the Evolution authors to sort out problems introduced by the Evo design. I worked closely together with the KMail authors and we implemented some nice stuff to help identify what has been signed by whom. As usual with the KDE code base things may change to the worse or better from time to time. Werner Koch (talk) 14:43, 14 August 2013 (UTC)Reply

Fair use rationale for Image:PGP form.png

edit
 

Image:PGP form.png is being used on this article. I notice the image page specifies that the image is being used under fair use but there is no explanation or rationale as to why its use in this Wikipedia article constitutes fair use. In addition to the boilerplate fair use template, you must also write out on the image description page a specific explanation or rationale for why using this image in each article is consistent with fair use.

Please go to the image description page and edit it to include a fair use rationale. Using one of the templates at Wikipedia:Fair use rationale guideline is an easy way to ensure that your image is in compliance with Wikipedia policy, but remember that you must complete the template. Do not simply insert a blank template on an image page.

If there is other fair use media, consider checking that you have specified the fair use rationale on the other images used on this page. Note that any fair use images lacking such an explanation can be deleted one week after being tagged, as described on criteria for speedy deletion. If you have any questions please ask them at the Media copyright questions page. Thank you.

BetacommandBot (talk) 15:29, 8 March 2008 (UTC)Reply

Cross-compilation paragraph

edit

The paragraph containing the cross-compilation mention seems out of place, but the sentences talking specifically about cross-compilation seem completely unnecessary for the article in my opinion. I didn't remove them, though, since, well, it's just my opinion. --Sydius (talk) 00:12, 16 August 2008 (UTC)Reply

Agreed. It's gone. Chris Cunningham (not at work) - talk 11:47, 16 August 2008 (UTC)Reply
    Just Curious: Would a Creative Commons License do? Supposing you're the author... 

I'd love to know how I got that boxy thingie to work : ) Didn't intention it,
but there it is 189.178.9.116 (talk) 11:26, 18 August 2008 (UTC)Reply

Pointdexter's Carnivore working overtime?

edit

I used to use Phil Zimmermann's freeware PGP back in the day. All of a sudden, if you even GPG or PGP sign an email, it's going into some black hole somewhere; like it never existed! I live in Mexico, and I've tried sending stuff to other recipeints in Mexico, albeit using Yahoo mail and Gmail, both of which are based in the States... and we all know how packets use the TCP part of TCP/IP to go all over the world looking for the path of least resistance... but still, this is spooky stuff! I've run a number of tests. If I even dare encrypt anything, it never gets even back to my own CC or BCC! I'm curious to see if this comment makes it on to Wiki... and how long it lasts.

189.178.9.116 (talk) 10:49, 18 August 2008 (UTC)Reply

Well, the preview shows my IP instead of my handle. If anyone wants to respond, my username in Wiki is manuelcuribe... That IP is meaningless. Like most amateur broadband subscribers, they keep us on a 24 hour revolving "floating" IP so we can't serve off our home machines without paying a small fortune... or setting up an IP pinger re-direct page, which I haven't. manuelcuribe 189.178.9.116 (talk) 11:32, 18 August 2008 (UTC)Reply

I have a hard time believing this could be true. I'd believe the government copying/reading encrypted mail before I'd believe them blocking it... it seems more likely that something else happened. If this really is a problem, though, maybe just compress the message and send it as an attachment. Maybe they look for the PGP header. --Sydius (talk) 19:01, 18 August 2008 (UTC)Reply
Great suggestion, I'm going to try that... — Manuel 189.140.35.218 (talk) 19:01, 19 August 2008 (UTC)Reply
This is not a solution to your problem, just an observation. Carnivore was an FBI program devoted to vacuuming Internet traffic from an individual or organization, supposedly only after acquiring a warrant from a judge. Poindester's project was at a higher level -- national security -- and involved vacuuming just about anything they could suck up from the 'Net, without a warrant of any kind. Supposedly, the Poindexter project was cancelled, but the FBI has renamed (and presumably reimplemented) Carnivore. They're still in the interception business, still supposedly only with a warrant. ww (talk) 20:33, 19 August 2008 (UTC)Reply
maybe it's not even the government. Two years ago, for some time I had problems with GPG signed mails not reaching some recipients. It turned out that it was a spam filter at the web mail provider of these recipients, which somehow learned to classify GPG signed mails as spam. I wrote a mail to that provider, and shortly thereafter the problem disappeared 88.217.5.239 (talk) 02:52, 12 March 2011 (UTC)Reply

Security, Clear Statement on

edit

It would be nice if the article stated in clear language the following:

1. Is the security of messages encoded with GPG is good as the security of messages encoded with PGP?

2. Are messages encoded using GPG (or, for that matter, PGP) secure?

Allan Marain 20:27, 11 September 2011 (UTC) — Preceding unsigned comment added by Marainlaw (talkcontribs)

Weird things about the article

edit

After a quick read:

  1. The "Usage" section starts with "Although the basic GnuPG program has a command line interface ..." and then goes on at length about other software which can invoke gpg. (Interesting high-level applications in wide use, like signing Git tags or signing software for distribution (Debian etc) seems not to be mentioned.)
  2. The article goes on and on about the first "Problem", trying to prove it's not a problem after all. Which of course it isn't, since it was solved a decade ago!
  3. The second "Problem" is "GnuPG is [...] not written as an API which can be incorporated into other software." Which is funny given (1) above. Then it becomes obvious that IPC doesn't count as an API in the eyes of the author. Then you ask yourself "well, how is it a problem that the API is IPC-based?" Then the author turns around and explains that this is really a good thing!

JöG (talk) 20:44, 16 October 2012 (UTC)Reply

Update text relating to patented algorithms and IDEA

edit

> GnuPG does not use patented or otherwise restricted software or algorithms, like the IDEA encryption algorithm used in PGP. (It is in fact possible to use IDEA in GnuPG by downloading a plugin for it, however this may require getting a license for some uses in some countries in which IDEA is patented.)

According to International Data Encryption Algorithm - "The last patents expired in 2012 and IDEA is now patent-free and thus free to use".

Does this need updating? — Preceding unsigned comment added by Liamzebedee (talkcontribs) 11:39, 11 March 2013 (UTC)Reply

Thankfully nobody cares about IDEA anymore, they patented themselves into irrelevance. I vote to just delete it. -- intgr [talk] 19:26, 11 March 2013 (UTC)Reply
edit

I just read this section and the corresponding article at the washington post. Said article has now features this paragraph: "Correction: This post previously contained an update that erroneously stated that Greenwald confirmed Snowden had authored the video. Greenwald said he could not confirm the authorship of the video." I therefore suggest to remove this paragraph, or to reformulate it to reflect this correction. Sorry if this appears lazy—but I'm simply no native english speaker and I don't want to interfere with the authors. --Hobbyhobbit (talk) 19:38, 1 July 2014 (UTC)Reply

edit

Hello fellow Wikipedians,

I have just modified one external link on GNU Privacy Guard. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 22:15, 6 January 2017 (UTC)Reply

Limitations section almost entirely inaccurate

edit

The major points in this section regarding GPGME and how it works are factually incorrect and based on some misunderstandings or false assumptions. Though described as "high level" that's by comparison to assembly language and truly low level operations. GPGME isn't a wrapper in the sense most developers think of, it's a C API intended for C developers to compile into their software and include via header files.

The subsequent statement regarding out-of-band calls to the GPG executable is also entirely wrong. GPGME directly accesses the libraries utilised by GPG and is developed alongside the engines' code. So it is able to access libgcrypt, libgpg-error, libassuan and so on directly; as well as the built-in components of the gpg and gpgsm programs without simply running the binaries directly. Some of those components (e.g. gpg-agent) run as system daemons and are accessible via UNIX sockets.

One of the reasons for GPGME is because command line invocation is not guaranteed to remain unchanged. That being the case, it's illogical to provide an API which merely calls the exact thing being discouraged for programmatic purposes.

Now ... I'd change this myself, but it's disclaimer time: I'm a member of the GnuPG Project and specifically on GPGME. So someone who is not me will need to independently verify this and then update it. --BenM (talk) 01:42, 2 April 2018 (UTC)Reply

application support for GPG

edit

The application support for GPG cannot be verified. The necessary Windows binaries pgpcore.dll pgpmime.dll are unavailable.

@Big 43.224.36.205 (talk) 19:21, 21 March 2024 (UTC)Reply