Re: [GIT PULL] first round of SCSI updates for the 6.7+ merge window

[James Bottomley]

On Thu, 2024-01-11 at 14:47 -0800, Linus Torvalds wrote:
> On Thu, 11 Jan 2024 at 14:36, Linus Torvalds
> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> > 
> > Stop making a bad pgp experience even worse - for no reason and
> > absolutely zero upside.
> 
> Side note: even getting gpg to show the subkeys was just an exercise
> in frustration.
> 
> For example, I'd expect that when you do
> 
>    gpg --list-key E76040DB76CA3D176708F9AAE742C94CEE98AC85
> 
> it would show the details of that key. No, it does not. It doesn't
> even *mention* that key.

You installed the special "make it even harder to use" version didn't
you?  Because for me (gpg 2.4.3) it gives

jejb@lingrow:~> gpg --list-key E76040DB76CA3D176708F9AAE742C94CEE98AC85
pub   rsa2048 2011-09-23 [SC] [expires: 2026-03-11]
      D5606E73C8B46271BEAD9ADF814AE47C214854D6
uid           [ultimate] James Bottomley
<James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
uid           [ultimate] James Bottomley <jejb@xxxxxxxxxxxxxxxxxx>
uid           [ultimate] James Bottomley <jejb@xxxxxxxxxx>
uid           [ultimate] [jpeg image of size 5254]
uid           [ultimate] James Bottomley <jejb@xxxxxxxxxxxxx>
uid           [ultimate] James Bottomley <jejb@xxxxxxxxxxxxxxxxxxxxx>
sub   nistp256 2018-01-23 [S] [expires: 2024-01-16]
sub   nistp256 2018-01-23 [E] [expires: 2024-01-16]
sub   nistp256 2023-07-20 [A] [expires: 2024-01-16]

Which shows all the subkeys and their expiration dates.  I admit it
doesn't show the fingerprints and you have to know you've requested a
subkey and it's showing the master record.

> Because this is gpg, and the project motto was probably "pgp was
> designed to be hard to use, and by golly, we'll take that to 11".
> 
> And no, adding "-vv" to get more verbose output doesn't help. That
> just makes gpg show more *other* keys.
> 
> Now, obviously, in order to actually show the key I *asked* gpg to
> list, I also have to use the "--with-subkey-fingerprint". OBVIOUSLY.
> 
> I can hear everybody go all Homer on me and say "Well, duh, dummy".
> 
> So yes, I realize that my frustration with pgp is because I'm just
> too stupid to understand how wonderful the UX really is, but my point
> is that you're really making it worse by using pointless features
> that actively makes it all so much less usable than it already is.

OK, OK, I can do longer expiration dates.

> Subkeys and expiration date make a bad experience worse.

I can't really fix the subkeys bit.  The reason I have a signing subkey
is because on my laptop it's TPM resident but with the authorization
password in gnome-keyring, so I unlock it on login (and so, for me, it
just works for all the day to day signing operations).  My master key
is also TPM resident but with a different password that doesn't unlock
on login to try to keep it more secure and because I only need to use
it when extending expiration dates or signing someone else's key.

> Yes, I blame myself for thinking pgp was a good model for tag
> signing. What can I say? I didn't expect people to actively try to
> use every bad feature.

Heh, well to paraphrase Churchill: gpg is the worst key management
system ... except for all the other key management systems out there
..

James