KGpg

Andre Heinecke aheinecke at intevation.de
Mon Aug 31 09:13:42 UTC 2015 

Hi,

On Sunday, August 30, 2015 08:04:59 PM Rolf Eike Beer wrote:
> Jeremy Whiting wrote:
> > On Sun, Aug 30, 2015 at 8:48 AM, Jeremy Whiting <jpwhiting at kde.org> wrote:
> > > Hey all,
> > > 
> > > I may have found another candidate for unmaintained. KGpg is a ui for
> > > gnupg. I've never used it, but have used kleopatra. Anyway, here's my
> > > reasoning. Please fix any false assumptions I may have made if you
> > > know kgpg or kleopatra better than I:
> > > 
> > > 1. KGpg does gnupg. Kleopatra also does, but is maintained.
> > > 2. KGpg has not been ported to Qt5/kf5, Kleopatra has.
> > > 3. KGpg isn't part of kdepim nor is it maintained by the PIM team,
> > > Kleopatra is.
> > > 
> > > Is there anything that KGpg does that Kleopatra doesn't/can't do? Or
> > > is there any reason to port KGpg to Qt5/kf5 and keep releasing it?
> > 
> > Correction, KGpg is maintained, Rolf made commits as late as last
> > month. My mistake. I gave KGpg a try here and it does seem to work
> > well. Rolf, could you use a hand porting it to Qt5/KF5 ?
> 
> I did not port for the reason that KGpg depends on kdepimlibs (KABC), which
> had no Qt5-based release yet (now it has), and I must confess I can occupy
> my time with other stuff and was too lazy to build it from git. In fact I
> was asked at least twice why there was no KF5-port and both were also too
> lazy to build kdepimlibs stuff themself. Now that there is a release it
> makes actually sense to port, so I hope I can manage it in time for 15.12.
> If someone is bored and wants to assist I will not reject any efforts.

What's the state of GnuPG 2.1 support in KGpg? I've tried to run KGpg (from 
debian jessie) on my with 2.1 and it fails to start with an error that It 
can't find the Gpg-agent. (Probably because there is no mandatory 
GPG_AGENT_INFO anymore)

> Kleopatra can do X.509, which KGpg can't. I never found that really missing.

So you probably never much had encrypted communiction with instutional users. 
;-) S/MIME is pretty widespread there. (At least in Germany)
 
> And KGpg looks so much more beautiful ;) 

Aww, now you've hurt Kleopatra's feelings (Doesn't she have a cute nose) ;-)

But I have to agree there at least for the keylisting. (as Sune and Anne also 
wrote in the other branch of this topich). The Keylisting / visualization of 
validity is imho better in Kgpg. Something I hope to address in Kleopatra at 
some point. This will probably go along with GnuPG's TOFU database / usage 
statistics that are currently worked at. Which will also need new 
representation in GUI's.

Kleopatra at least has the advantage that it uses the official API (gpgme) and 
so it is theoratically much easier to work with new features and different 
versions of GnuPG.

Buit let's not get into a detailed comparision of Kleo vs. Kgpg I don't think 
that would be helpful.

I'd much rather see us working together on a single GUI then splitting the 
effort to work on two Certificate Managers in the KDE community. Of course I 
doub't that will happen.
If you are willing to work on KGpg Ok! Alternatives are good. :-)

There is also another advantage KGpg has over kleopatra, The Kleopatra 
codebase is kind of a beast with a usage of stdc++ and boost that is probably 
unfamiliar to most KDE hackers.

> And it has the CAFF mode, which I doubt Kleopatra has. 

I actually did not know that. Maybe something we could add to Kleopatra then, 
too.

> And it supports photo ids, which I was told was
> intentionally left out of Kleopatra for some policy reasons.

Yes. Afaik this was done because the gnupg maintainer requested us not to 
support this in Kleo. The reasons for this are:
- Gives a false sense of security.
- Increases the attack surface as you need image parsers to parse external 
Input.
- Key size is drastically increased.
- Considered bad practice even though the OpenPGP standard allows for this.

I did not find sources for these claims, just something I picked up in 
discussions. I was not around when it was decided in the first place. Maybe we 
should discuss this again. 



Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/release-team/attachments/20150831/7b126e37/attachment-0001.sig>

More information about the release-team mailing list