Debian Bug report logs - #733860
ITP: pond -- Forward secure, asynchronous messaging for the discerning.

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Ximin Luo <infinity0@gmx.com>

Date: Wed, 1 Jan 2014 14:03:02 UTC

Owned by: Ximin Luo <infinity0@pwned.gg>

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, wnpp@debian.org:
Bug#733860; Package wnpp. (Wed, 01 Jan 2014 14:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ximin Luo <infinity0@gmx.com>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, wnpp@debian.org. (Wed, 01 Jan 2014 14:03:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ximin Luo <infinity0@gmx.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Wed, 01 Jan 2014 14:00:14 +0000
Package: wnpp
Severity: wishlist
Owner: Ximin Luo <infinity0@gmx.com>

* Package name    : pond
  Version         : 0:git~2014-01-01
  Upstream Author : Adam Langley <agl@imperialviolet.org>
* URL             : https://pond.imperialviolet.org/
* License         : BSD
  Programming Lang: Go
  Description     : Forward secure, asynchronous messaging for the discerning.

For secure, synchronous communication we have OTR and, when run over Tor, this is pretty good. But while we have secure asynchronous messaging in the form of PGP email, it's not forward secure and it gratuitously leaks traffic information. While a desire for forward secure PGP is hardly new, it still hasn't materialised in a widely usable manner.

Additionally, email is used predominately for insecure communications (mailing lists, etc) and is useful because it allows previously unconnected people to communicate as long as a (public) email address is known to one party. But the flip side to this is that volume and spam are driving people to use centralised email services. These provide such huge benefits to the majority of email communication, so it's unlikely that this trend is going to reverse. But, even with PGP, these services are trusted with hugely valuable traffic information if any party uses them.

So Pond is not email. Pond is forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker.



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ximin Luo <infinity0@gmx.com>:
Bug#733860; Package wnpp. (Wed, 01 Jan 2014 15:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ximin Luo <infinity0@gmx.com>. (Wed, 01 Jan 2014 15:27:08 GMT) Full text and rfc822 format available.

Message #10 received at 733860@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: Ximin Luo <infinity0@gmx.com>
Cc: 733860@bugs.debian.org
Subject: Re: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Wed, 01 Jan 2014 15:26:20 +0000
[Message part 1 (text/plain, inline)]
On Wed, 2014-01-01 at 14:00 +0000, Ximin Luo wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Ximin Luo <infinity0@gmx.com>
> 
> * Package name    : pond
>   Version         : 0:git~2014-01-01
>   Upstream Author : Adam Langley <agl@imperialviolet.org>
> * URL             : https://pond.imperialviolet.org/
> * License         : BSD
>   Programming Lang: Go
>   Description     : Forward secure, asynchronous messaging for the discerning.
[...]

Is it really a good idea to package this yet, considering the home page
says "Dear God, please don't use Pond for anything real yet."

Maybe upload to experimental only?

Ben.

-- 
Ben Hutchings
Logic doesn't apply to the real world. - Marvin Minsky
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#733860; Package wnpp. (Wed, 01 Jan 2014 16:24:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ximin Luo <infinity0@gmx.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 01 Jan 2014 16:24:09 GMT) Full text and rfc822 format available.

Message #15 received at 733860@bugs.debian.org (full text, mbox):

From: Ximin Luo <infinity0@gmx.com>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: 733860@bugs.debian.org
Subject: Re: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Wed, 01 Jan 2014 16:20:53 +0000
[Message part 1 (text/plain, inline)]
On 01/01/14 15:26, Ben Hutchings wrote:
> On Wed, 2014-01-01 at 14:00 +0000, Ximin Luo wrote:
>> Package: wnpp
>> Severity: wishlist
>> Owner: Ximin Luo <infinity0@gmx.com>
>>
>> * Package name    : pond
>>   Version         : 0:git~2014-01-01
>>   Upstream Author : Adam Langley <agl@imperialviolet.org>
>> * URL             : https://pond.imperialviolet.org/
>> * License         : BSD
>>   Programming Lang: Go
>>   Description     : Forward secure, asynchronous messaging for the discerning.
> [...]
> 
> Is it really a good idea to package this yet, considering the home page
> says "Dear God, please don't use Pond for anything real yet."
> 
> Maybe upload to experimental only?
> 
> Ben.
> 

That blog post is from quite a while ago, but I see your point. I'll contact
upstream to see what his advice is, and only upload to experimental in the
meantime.

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ximin Luo <infinity0@gmx.com>:
Bug#733860; Package wnpp. (Wed, 01 Jan 2014 17:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philip Rinn <rinni@inventati.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ximin Luo <infinity0@gmx.com>. (Wed, 01 Jan 2014 17:15:04 GMT) Full text and rfc822 format available.

Message #20 received at 733860@bugs.debian.org (full text, mbox):

From: Philip Rinn <rinni@inventati.org>
To: debian-devel@lists.debian.org, 733860@bugs.debian.org
Subject: Re: Bug#733860: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Wed, 01 Jan 2014 18:13:51 +0100
Hi,

I think it's important to add also the paragraph about actual usability for the
homepage:

Dear God, please don't use Pond for anything real yet. I've hammered out nearly
20K lines of code that have never been reviewed. Unless you're looking to
experiment you should go use something that actually works (e.g. GnuPG).[0]


I general I'd ask if it's not better to wait for code reviews before packaging it.

Best,
Philip

[0] https://pond.imperialviolet.org



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ximin Luo <infinity0@gmx.com>:
Bug#733860; Package wnpp. (Fri, 03 Jan 2014 05:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ximin Luo <infinity0@gmx.com>. (Fri, 03 Jan 2014 05:27:05 GMT) Full text and rfc822 format available.

Message #25 received at 733860@bugs.debian.org (full text, mbox):

From: intrigeri <intrigeri@debian.org>
To: debian-devel@lists.debian.org, 733860@bugs.debian.org
Subject: Re: Bug#733860: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Fri, 03 Jan 2014 06:23:41 +0100
Hi,

Kartik Mistry wrote (03 Jan 2014 04:45:02 GMT) :
> Suitable for experimental for sure. I'll be happy to help in
> packaging if needed.

Great, three candidate packagers for a single ITP :)

I'm re-adding the ITP bug to the Cc list. Please keep it copied so
that the discussion is archived there.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ximin Luo <infinity0@gmx.com>:
Bug#733860; Package wnpp. (Fri, 03 Jan 2014 18:09:51 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tollef Fog Heen <tfheen@err.no>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ximin Luo <infinity0@gmx.com>. (Fri, 03 Jan 2014 18:09:51 GMT) Full text and rfc822 format available.

Message #30 received at 733860@bugs.debian.org (full text, mbox):

From: Tollef Fog Heen <tfheen@err.no>
To: 733860@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#733860: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Fri, 03 Jan 2014 18:45:16 +0100
]] Ximin Luo 

> Package: wnpp
> Severity: wishlist
> Owner: Ximin Luo <infinity0@gmx.com>
> 
> * Package name    : pond
>   Version         : 0:git~2014-01-01

You might want to use a version number such as 0~20140101+git+$sha1 or
similar.  0:git probably isn't even valid as a Debian version number,
since : is used for epochs.

> So Pond is not email. Pond is forward secure, asynchronous messaging
> for the discerning. Pond messages are asynchronous, but are not a
> record; they expire automatically a week after they are received. Pond
> seeks to prevent leaking traffic information against everyone except a
> global passive attacker.

Am I understanding it correctly that this is somewhat like sending an
encrypted message to a key's fingerprint in a DHT with an expiration
tacked on, or is this completely off the mark?

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#733860; Package wnpp. (Tue, 07 Jan 2014 14:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ximin Luo <infinity0@gmx.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 07 Jan 2014 14:15:04 GMT) Full text and rfc822 format available.

Message #35 received at 733860@bugs.debian.org (full text, mbox):

From: Ximin Luo <infinity0@gmx.com>
To: Tollef Fog Heen <tfheen@err.no>, 733860@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#733860: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Tue, 07 Jan 2014 14:12:23 +0000
[Message part 1 (text/plain, inline)]
(I am not on debian-devel, please don't forget to CC me.)

On 03/01/14 17:45, Tollef Fog Heen wrote:
> ]] Ximin Luo 
> 
>> Package: wnpp
>> Severity: wishlist
>> Owner: Ximin Luo <infinity0@gmx.com>
>>
>> * Package name    : pond
>>   Version         : 0:git~2014-01-01
> 
> You might want to use a version number such as 0~20140101+git+$sha1 or
> similar.  0:git probably isn't even valid as a Debian version number,
> since : is used for epochs.
> 

Thanks, I will do that. The previous one was just a placeholder that I guessed, I will read through the version syntax spec properly before I commit to anything.

>> So Pond is not email. Pond is forward secure, asynchronous messaging
>> for the discerning. Pond messages are asynchronous, but are not a
>> record; they expire automatically a week after they are received. Pond
>> seeks to prevent leaking traffic information against everyone except a
>> global passive attacker.
> 
> Am I understanding it correctly that this is somewhat like sending an
> encrypted message to a key's fingerprint in a DHT with an expiration
> tacked on, or is this completely off the mark?
> 

It's somewhat off the mark :p

The encryption keys are ephemerally generated using a ratchet to provide forward secrecy. The network structure is client-to-federated-servers rather than completely decentralised like a DHT. The servers provide availability, but are otherwise trusted with very little private information. (There is still some metadata leakage I believe.) The design also tries to protect against timing/length analyses.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ximin Luo <infinity0@gmx.com>:
Bug#733860; Package wnpp. (Wed, 08 Jan 2014 16:18:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Stapelberg <stapelberg@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ximin Luo <infinity0@gmx.com>. (Wed, 08 Jan 2014 16:18:24 GMT) Full text and rfc822 format available.

Message #40 received at 733860@bugs.debian.org (full text, mbox):

From: Michael Stapelberg <stapelberg@debian.org>
To: Ximin Luo <infinity0@gmx.com>, 733860@bugs.debian.org
Subject: Re: Bug#733860: ITP: pond -- Forward secure, asynchronous messaging for the discerning.
Date: Wed, 08 Jan 2014 17:14:45 +0100
Hi Ximin,

Ximin Luo <infinity0@gmx.com> writes:
> * Package name    : pond
>   Version         : 0:git~2014-01-01
>   Upstream Author : Adam Langley <agl@imperialviolet.org>
> * URL             : https://pond.imperialviolet.org/
> * License         : BSD
>   Programming Lang: Go
Since this is implemented in Go, I welcome you to join pkg-golang on
alioth (if you haven’t already) and maintain it in our team. Thanks for
considering :).

-- 
Best regards,
Michael



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ximin Luo <infinity0@gmx.com>:
Bug#733860; Package wnpp. (Tue, 21 Jan 2014 16:39:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ximin Luo <infinity0@pwned.gg>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ximin Luo <infinity0@gmx.com>. (Tue, 21 Jan 2014 16:39:15 GMT) Full text and rfc822 format available.

Message #45 received at 733860@bugs.debian.org (full text, mbox):

From: Ximin Luo <infinity0@pwned.gg>
To: 733860@bugs.debian.org
Subject: dependencies
Date: Tue, 21 Jan 2014 16:31:34 +0000
[Message part 1 (text/plain, inline)]
Control: owner -1 !
thanks

The following go packages are dependencies of pond and therefore will also need to be ITPd first:

code.google.com/p/go.crypto/
github.com/agl/ed25519/
github.com/agl/go-gtk/
github.com/agl/pond/

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

[signature.asc (application/pgp-signature, attachment)]

Owner changed from Ximin Luo <infinity0@gmx.com> to Ximin Luo <infinity0@pwned.gg>. Request was from Ximin Luo <infinity0@pwned.gg> to 733860-submit@bugs.debian.org. (Tue, 21 Jan 2014 16:39:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 11:30:58 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.