Debian Bug report logs - #466669
RFP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Jan Hauke Rahm <jhr@debian.org>

Date: Wed, 20 Feb 2008 09:33:04 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, <wnpp@debian.org>:
Bug#466669; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, <wnpp@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jan Hauke Rahm <info@jhr-online.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail
Date: Wed, 20 Feb 2008 10:32:01 +0100
Package: wnpp
Severity: wishlist
Owner: Jan Hauke Rahm <info@jhr-online.de>

* Package name    : squirrelmail-gpg
  Version         : 2.1
  Upstream Author : Brian G. Peterson <gpg@braverock.com>
* URL             : http://www.squirrelmail.org/plugin_view.php?id=153
* License         : GPL
  Programming Lang: PHP
  Description     : GnuPG plugin for SquirrelMail

 This is a general purpose encryption, decryption, and digital signature plugin
 for SquirrelMail that implements the OpenPGP standard using GPG.
 .
 Major Features:
  * Key import from keyring or ASCII armor file
  * key Search and Import from keyservers
  * Key Pair Creation
  * Encrypt from Compose
  * Decrypt on reading encrypted message
  * Encrypt, Decrypt, and Sign Attachments
  * Sign messages and verify signatures
  * System Keyring for use on corporate mail servers
  * pgp/mime support

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, Jan Hauke Rahm <info@jhr-online.de>:
Bug#466669; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@iki.fi>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, Jan Hauke Rahm <info@jhr-online.de>. Full text and rfc822 format available.

Message #10 received at 466669@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@iki.fi>
To: debian-devel@lists.debian.org
Cc: 466669@bugs.debian.org
Subject: Re: Bug#466669: ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail
Date: Wed, 20 Feb 2008 12:16:53 +0200
On ke, 2008-02-20 at 01:56 -0800, Don Armstrong wrote:
> On Wed, 20 Feb 2008, Jan Hauke Rahm wrote:
> >   * Decrypt on reading encrypted message
> >   * Encrypt, Decrypt, and Sign Attachments
> >   * Sign messages and verify signatures
> 
> I really, really hope it's implementing in some incredibly novel way
> that doesn't involve having secret keys on the webserver (channeling
> Manoj) or *even* network accessible.
> 
> Otherwise it's pretty much insta-buggy by design.

I can imagine ways in which this could be used safely. For instance, by
using it instead of mutt or alpine or some GUI software on a machine
which gets disconnected from the network while the GnuPG operations
happen.

That's not a very likely scenario.

A more likely scenario would be to use a low-security key on a web
server -- it's quite imperfect security, but if you understand the
risks, it's better than not using GnuPG. For example, it prevents
routine eavesdropping and requires the opponent to actually break into
the web server to get a copy of your key.

May I suggest that the package adds a big warning about the security
issues to the description, and README.Debian? Possibly even NEWS.Debian?






Message sent on to Jan Hauke Rahm <info@jhr-online.de>:
Bug#466669. Full text and rfc822 format available.

Message #13 received at 466669-submitter@bugs.debian.org (full text, mbox):

From: "Ricardo Mones" <mones@debian.org>
To: 466669-submitter@bugs.debian.org
Subject: status of this?
Date: Fri, 18 Jul 2008 13:18:55 +0200
Hi,

Saw your ITP request an wondering why is that still not in Debian?

(I've already read the security concerns commented, but I think this
is still is useful under certain scenarios).

regards and thanks in advance,
-- 
 Ricardo Mones
 http://people.debian.org/~mones
 «Is that really YOU that is reading this?»

Information stored:
Bug#466669; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #18 received at 466669-quiet@bugs.debian.org (full text, mbox):

From: Jan Hauke Rahm <info@jhr-online.de>
To: Ricardo Mones <mones@debian.org>, 466669-quiet@bugs.debian.org
Subject: Re: Bug#466669: status of this?
Date: Fri, 18 Jul 2008 17:10:12 +0200
[Message part 1 (text/plain, inline)]
Hi Ricardo,

On Fri, Jul 18, 2008 at 01:18:55PM +0200, Ricardo Mones wrote:
> Saw your ITP request an wondering why is that still not in Debian?
> 
> (I've already read the security concerns commented, but I think this
> is still is useful under certain scenarios).

Well, I agree, but while preparing the package I had some diffculties
with setting up an apropiate debian/copyright file. After some
communication with upstream I've asked for clarification which obviously
needs some time. The upstream author already told me that it would take
a bit and so I'm waiting. It wouldn't be bad to ask for it one more
time, I guess, but I have not too much hope since it's really a lot of
files that need to be viewed.

I'm sorry for these kind of bad news. I still hope to get this package
ready for lenny.

Cheers,
Hauke
[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#466669; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to "Ricardo Mones" <mones@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #23 received at 466669-quiet@bugs.debian.org (full text, mbox):

From: "Ricardo Mones" <mones@debian.org>
To: "Jan Hauke Rahm" <info@jhr-online.de>
Cc: 466669-quiet@bugs.debian.org
Subject: Re: Bug#466669: status of this?
Date: Fri, 18 Jul 2008 20:01:38 +0200
Hi Hauke,

On Fri, Jul 18, 2008 at 5:10 PM, Jan Hauke Rahm <info@jhr-online.de> wrote:
> Hi Ricardo,
>
> On Fri, Jul 18, 2008 at 01:18:55PM +0200, Ricardo Mones wrote:
>> Saw your ITP request an wondering why is that still not in Debian?
>>
>> (I've already read the security concerns commented, but I think this
>> is still is useful under certain scenarios).
>
> Well, I agree, but while preparing the package I had some diffculties
> with setting up an apropiate debian/copyright file. After some
> communication with upstream I've asked for clarification which obviously
> needs some time. The upstream author already told me that it would take
> a bit and so I'm waiting. It wouldn't be bad to ask for it one more
> time, I guess, but I have not too much hope since it's really a lot of
> files that need to be viewed.

Oh, well, unfortunately these things take time. I was hoping it wasn't
some licensing problem, but failed ;-)

> I'm sorry for these kind of bad news. I still hope to get this package
> ready for lenny.

Good, if you need some sponsor or any other help with this feel free
to contact me.

Thanks for your answer,
-- 
 Ricardo Mones
 http://people.debian.org/~mones
 «Bridge ahead. Pay troll.»

Changed Bug submitter to 'Jan Hauke Rahm <jhr@debian.org>' from 'Jan Hauke Rahm <info@jhr-online.de>' Request was from Jan Hauke Rahm <jhr@debian.org> to control@bugs.debian.org. (Sat, 03 Oct 2009 13:27:19 GMT) Full text and rfc822 format available.

Owner changed from Jan Hauke Rahm <info@jhr-online.de> to Jan Hauke Rahm <jhr@debian.org>. Request was from Jan Hauke Rahm <jhr@debian.org> to control@bugs.debian.org. (Sat, 03 Oct 2009 13:27:38 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Jan Hauke Rahm <jhr@debian.org>:
Bug#466669; Package wnpp. (Sat, 19 Feb 2011 17:58:29 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Jan Hauke Rahm <jhr@debian.org>. (Sat, 19 Feb 2011 17:58:29 GMT) Full text and rfc822 format available.

Message #32 received at 466669@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 466669@bugs.debian.org
Cc: control@bugs.debian.org
Subject: squirrelmail-gpg: changing back from ITP to RFP
Date: Sat, 19 Feb 2011 17:02:29 +0000
retitle 466669 RFP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail
noowner 466669
thanks

Hi,

This is an automatic email to change the status of squirrelmail-gpg back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 6 months.

If you are still interested in adopting squirrelmail-gpg, please send a mail to
<control@bugs.debian.org> with:

 retitle 466669 ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail
 owner 466669 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <466669@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>




Changed Bug title to 'RFP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail' from 'ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 18:09:27 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Jan Hauke Rahm <jhr@debian.org>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 18:09:27 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#466669; Package wnpp. (Sun, 20 Feb 2011 11:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Hauke Rahm <jhr@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Sun, 20 Feb 2011 11:33:02 GMT) Full text and rfc822 format available.

Message #41 received at 466669@bugs.debian.org (full text, mbox):

From: Jan Hauke Rahm <jhr@debian.org>
To: control@bugs.debian.org, 466669@bugs.debian.org
Subject: Re: Bug#466669: squirrelmail-gpg: changing back from ITP to RFP
Date: Sun, 20 Feb 2011 12:21:51 +0100
[Message part 1 (text/plain, inline)]
retitle 466669 ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail
owner 466669 !
thanks

I'm keeping this as ITP open since I'm still willing to maintain it.
Upstream issues are still not solved but being worked on.

Hauke

-- 
 .''`.   Jan Hauke Rahm <jhr@debian.org>               www.jhr-online.de
: :'  :  Debian Developer                                 www.debian.org
`. `'`   Member of the Linux Foundation                    www.linux.com
  `-     Fellow of the Free Software Foundation Europe      www.fsfe.org
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail' from 'RFP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail' Request was from Jan Hauke Rahm <jhr@debian.org> to control@bugs.debian.org. (Sun, 20 Feb 2011 11:33:06 GMT) Full text and rfc822 format available.

Owner recorded as Jan Hauke Rahm <jhr@debian.org>. Request was from Jan Hauke Rahm <jhr@debian.org> to control@bugs.debian.org. (Sun, 20 Feb 2011 11:33:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Jan Hauke Rahm <jhr@debian.org>:
Bug#466669; Package wnpp. (Mon, 04 Apr 2011 14:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Jan Hauke Rahm <jhr@debian.org>. (Mon, 04 Apr 2011 14:45:09 GMT) Full text and rfc822 format available.

Message #50 received at 466669@bugs.debian.org (full text, mbox):

From: Thomas Goirand <zigo@debian.org>
To: Jan Hauke Rahm <jhr@debian.org>
Cc: 466669@bugs.debian.org
Subject: Re: Squirrelmail plugin for GPG
Date: Mon, 04 Apr 2011 22:31:26 +0800
On 04/04/2011 08:43 PM, Jan Hauke Rahm wrote:
> Hi Thomas,
> 
> On Sat, Apr 02, 2011 at 06:03:37PM +0800, Thomas Goirand wrote:
>> I saw that you maintained the squirrelmail-spam-button plugin, and I was
>> wondering if you would also like to maintain the squirrelmail-gpg
>> plugin. I did the packaging, but I don't feel like maintaining yet
>> another package (I have quite a lot under my responsibility). If you do,
>> there my diff.gz is attached. I paid attention to keep the same
>> packaging style you used for your spam-button plugin.
> 
> I even already have an ITP on squirrelmail-gpg (#466669). In that report
> you find the reasons why it's not in the archive (yet?). I have to admit
> though, there's one to add nowadays: upstream seems pretty much dead. :(
> 
> If you have new information about it, feel free to tell me. I'd be happy
> to see that usable in Debian.
> 
> Hauke

Excuse me to say it this way, but the excuse that it's dangerous to keep
a key on a server is a silly reason for not sending the package in main.
There's many more reasons you would like to use this package, for
example to CHECK for a signature. That doesn't require uploading or
generating a key on the server, yet there's no other way but to use this
package, if you use Squirrelmail.

Now, I agree that a warning could be added to the package description.
But it's the responsibility of an administrator to use (or not) keys on
the server side. As for me, I would do so only for small low-security
things, like signing my outgoing mail. Using a key for signing my
outgoing mail is better than not signing at all, and myself and 5 other
people are the only one using the server. How in this kind of case, is
this a security threat? Why would it be considered less safe, than,
let's say, browsing the web using Adobe flash player on my laptop?

The fact that upstream is dead is a much bigger concern though. Did you
try to ping him once more?

Thomas




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Jan Hauke Rahm <jhr@debian.org>:
Bug#466669; Package wnpp. (Mon, 27 May 2013 13:32:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Jan Hauke Rahm <jhr@debian.org>. (Mon, 27 May 2013 13:32:33 GMT) Full text and rfc822 format available.

Message #55 received at 466669@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 466669@bugs.debian.org
Cc: control@bugs.debian.org
Subject: squirrelmail-gpg: changing back from ITP to RFP
Date: Mon, 27 May 2013 15:24:12 +0200
retitle 466669 RFP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail
noowner 466669
tag 466669 - pending
thanks

Hi,

This is an automatic email to change the status of squirrelmail-gpg back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 12 months.

If you are still interested in adopting squirrelmail-gpg, please send a mail to
<control@bugs.debian.org> with:

 retitle 466669 ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail
 owner 466669 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <466669@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>



Changed Bug title to 'RFP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail' from 'ITP: squirrelmail-gpg -- GnuPG plugin for SquirrelMail' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 13:55:20 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Jan Hauke Rahm <jhr@debian.org>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 13:55:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 05:45:25 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.