Bill Allombert <ballombe@debian.org> writes:

Dear Debian developpers,

popularity-contest relies on /usr/bin/gpg for encrypting files.
(it cannot use gpgv which does not provide encryption).

Why does it need to encrypt data?

Can't we just send telemetry over https like everyone else?

For people who are uncomfortable with that, they can disable the
package.

I don't think the security properties of a popcon recipient PGP key and
the WebPKI keys is all that different. Both are keys held by others who
users have little information about. At least for WebPKI there are
policies and transparency mechanisms in place, but the Debian PGP keys
we have none of that. Which approach results in better outcome is
probably a subjective opinion.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmflqy0UHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFonlbAP4r/+LxiHZv p2E+ctEsHcLgM82BdzjTwyxysXVNA+A8KgD/fz/8V8ajpBKTcPJW8HFRAGoqrPto UKmXXcD/XqKLrwc=
=7xQk
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Dear Debian developpers,

popularity-contest relies on /usr/bin/gpg for encrypting files.
(it cannot use gpgv which does not provide encryption).

By design popularity-contest needs to have as few non-essential
dependencies as possible because this skews the result.

It used to be the case that apt depended on gpg, but not anymore.
Is it still the best option ?

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[Simon Josefsson]

Why does it need to encrypt data?

To protect the users privacy.

Can't we just send telemetry over https like everyone else?

Not all popcon submissions go over https, the fallback mechanism is
SMTP.

--
Happy hacking
Petter Reinholdtsen

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jeremy Stanley <fungi@yuggoth.org> writes:

On 2025-03-27 20:57:52 +0100 (+0100), Petter Reinholdtsen wrote:

[Simon Josefsson]

Why does it need to encrypt data?

To protect the users privacy.

Can't we just send telemetry over https like everyone else?

Not all popcon submissions go over https, the fallback mechanism is
SMTP.

Also, OpenPGP encryption for the PopCon key means that you trust the
handful of Debian project members and systems entrusted with access to
that private key. Relying on HTTPS (SSL/TLS) means you're going to
trust every organization who controls a CA in the root certificates
list on your system as well as anyone/anything they might delegate
wildcard records to (unless popularity-contest pins specific server
certs, I haven't dug deep enough to know whether it does).

Not that I personally feel like my popcon data is so highly sensitive
that I'm worried about random governments or organized
crime^W^Wcorporate interests snooping it, but the distinction is
significant. PGP and TLS are not even remotely similar models
privacy-wise.

There are many problems with WebPKI, but at least we have mechanisms
like Certificate Transparency to audit key usage of the CAs involved.
There is no comparable mechanism for PGP keys used by individuals in
Debian. Who are the individuals who have access to this PGP private
key? How are the keys protected? Before such questions are answered, I believe it can be a reasonable choice to prefer to be in the same boat
as everyone else (WebPKI) rather than jumping into another unknown boat
which may have better or worse properties.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmflvagUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFolFiAQCrtLM1H7UP Xyo6xmhotA0DVNffzJHUerGf0B2IDnQFtgEAq9G1Y6+gaSdW1yk05ehoD8vPjRdr c3FIpXTfKOb9lQ8=
=OJdm
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-03-27 20:57:52 +0100 (+0100), Petter Reinholdtsen wrote:

[Simon Josefsson]

Why does it need to encrypt data?

To protect the users privacy.

Can't we just send telemetry over https like everyone else?

Not all popcon submissions go over https, the fallback mechanism is
SMTP.

Also, OpenPGP encryption for the PopCon key means that you trust the
handful of Debian project members and systems entrusted with access
to that private key. Relying on HTTPS (SSL/TLS) means you're going
to trust every organization who controls a CA in the root
certificates list on your system as well as anyone/anything they
might delegate wildcard records to (unless popularity-contest pins
specific server certs, I haven't dug deep enough to know whether it
does).

Not that I personally feel like my popcon data is so highly
sensitive that I'm worried about random governments or organized crime^W^Wcorporate interests snooping it, but the distinction is
significant. PGP and TLS are not even remotely similar models
privacy-wise.
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmfluxxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCnVJxAAiFisyYIE2BDbEa+3VobSPwmD4/n15oAOlSjWKEbLLv9Oxq8CJJ53l4du Skk/zXJteVlVe5ktKAyw1BafpSoUhmIIF9jO2DPEnx2tOv4vi+1SuEofosBMFcPT +9ze1NlsKUj+tyn5D/elc8+UcDd85C1Cdefvdkulop2dXQn4XOe9plc/a6ArtLn2 XP1hUw6ccueo3yW0dDTPCgFDgLvetQfMoxBuqu03QuWB0zAqRya3Yk3s7hxazD9z JotrE9gKCkiaEXRSrks5FywXZ4dVKuRxVBsF5CLOedIAgLp1b72xSKqKlgUYEMId 22KdAgVy2Hx60DIeoMtNrcTtr/0ysObkM6zRc6zDBsEs4VdFumeL1Ov/zZZEhv2t UIcSfNg7F+3wV4/lq+u9s3G6rmD/NZ4sHO47aiSWMNkrLj0xyNw7iHJCea5i0CXz jSe/0hAynwWkzVNmsJAfVIvhIIoNSzeFTxhC/cz/iHYCEa0D0R7d3u5XyUHpdaCo aBy/QxZj6xuKDfi5TUVmYjo6ACFu5CYbQNs6Yxv5nCqRAwrDU5yD2Tqx6wwA0A1z +oar450WFAa4KdWvHyzAmdFUjwBRlL1tAMxrs+E4ihOeDBLXwzIvYkRsJiZ3zaqt cyf1Sy7ZC261sMrKVSgkrXpeILXrkx3ZgS54H+sXSDWBtpuWAY0=
=o16P
-----END PGP SIGNATURE-----

--- SoupGate-Win32

On Thu, Mar 27, 2025 at 07:45:12PM +0100, Bill Allombert wrote:

Dear Debian developpers,

popularity-contest relies on /usr/bin/gpg for encrypting files.
(it cannot use gpgv which does not provide encryption).

By design popularity-contest needs to have as few non-essential
dependencies as possible because this skews the result.

It used to be the case that apt depended on gpg, but not anymore.
Is it still the best option ?

Very long ago.

In practical terms, it may still be the best option. There is of course
the question of where do you want to go and I'd like to see `sq`
pre-installed on interactive systems in the future, instead of `gpg`;
if we do that, it stands to reason it should depend on `sq|gpg`.

But this is a question for forky, and somewhat distracting right now,
so um I'd suggest doing nothing for now and think about that.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJn5b+UCRBvpFjdHbA/cUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmdduz2d/pfZcKzwZJkZ5rNu3EInnz/rgV7cgoTkjjVG qxYhBE+1iKhMLd55p0x3h2+kWN0dsD9xAABMFA/+NQ0fLnW5Dn3/HZxMzF4Nw94e Am8uWY+nf1gf0n2g8hI8u8zUckTd445oxfAIMeQjCUy9RiEz2E1t+wp8v4qCw0Ks B9dqCeFDmwOnLA4R+BmLWcfpgUaKnQr7rQOyw3o1IvjvDIKJ/YYaHC1CDoRjDeND xy6KgZ14fslksFXZSZMWGuFDv5yPpP9frGIfipfba82AZPofRkRkm+mjJFxard6r dgcJTxpybrWTygkdk1zadPcPkzkg5i7bVSDFSWwidHLZy8tN/g4Abn4Rbl7eCPyf Mmab4BIMUbOMTqhCVY5biHQTkROGSjepajyPK8IbIyl+w3R0nuCAY6t5emIYS7rU eMAdwdwfBQQFyw9jeMVhmdd6jlctYvNNGXeDQTjD9L17IDNmBybfXQjoaJUOqfCB OZejpGN3m1S5lHjuO01ATI7mzrpEiTAgLtKH6w3GqzhDh/Htpz+B9aNH+C27o8la Uoss7eUsIQHLh3mnLj5NZuwAvbdqiOHxf2MLo0QXukUzTq91JbomAk7V3iEZGgL6 Uc1syqXT6mNENU5IPybsChkladifRElShn0EDV+pQhbLAxrs/CCPsvmlU/P387Mc E6KnlQJ7VEYHWQQTG3Lz+UuEYn5YZAzVib2ISEPKeF4U01n3h+n7+eLa21

On Thu, Mar 27, 2025 at 07:45:12PM +0100, Bill Allombert wrote:

Dear Debian developpers,

popularity-contest relies on /usr/bin/gpg for encrypting files.
(it cannot use gpgv which does not provide encryption).

By design popularity-contest needs to have as few non-essential
dependencies as possible because this skews the result.

It used to be the case that apt depended on gpg, but not anymore.
Is it still the best option ?

I am among the people who have moved towards the Sequoia family of cryptographic tools; in particular, sqop (a Sequoia implementation of
the SOP command-line interface) seems to work:

[roam@straylight ~]$ echo canttouchthis | sqop encrypt /usr/share/popularity-contest/debian-popcon.gpg | pgpdump
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x4E9024B327CBD937
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(63 bytes)
Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))
[roam@straylight ~]$

Hope that helps!

G'luck,
Peter

--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmflvYIACgkQZR7vsCUn 3xNshQ/9F0f0QPoaKZnlzx+pFohRrIppbnwz6465Ab1k5+n1FlwFr8S2/fvlnbPQ BHb8n6t2KqpoeTu+NbiiaZ1oKVwNE2vPUQ/IokwXVLwcWyqJQReSgWdsjr8hqpz0 aMLoqoobIhYptNO5rkUWl/APMEKraL57JWFFhpztimxDTHu7Fo9f7R735uSh4euQ HZP+nsoMwtyXIhea9f7mx3BXAN5oh7zQnVSnNFjVkDTUNyB0a/DA2zABPKrDIJw5 cIvUpgGltmIrfzCCBBFDG+D8LAvsVzWMADvOFBD2kbqBl1jpByeDHV3hqnOTzLOW maB5VvRoH2kWcGJ3WiFiS4QmiVY9aFsKeDteCSV5S2wvVlx9nFGfZpj5xa2HEJMK nAKFCiv0guswDQYM9CdZ1wgCSTFONVrwGZ5jZZYMOaB9M6h4NmWaR2YO4N4BMan4 Xa2UghCRSWfPVOjzhHlkNDFzhynacm81wmQkwbqXLQJg4fk8E7B4GJCLFFGnMR1Z NSzOh0FHA0wwZzcArXc3KbXzXIy3AScbLdTRqoQ2PWtxWo49qy+toYaZ9J66K5xK BuR2fd9NMr7mKMpVOOVSQ0AoFW7TK2qM1dPidUKkLHynoWA+j8hGoyeVavItQIEn V1GHz/w9dVbDGTx3+DI+0W4Y0DS8B+FWvX8DaVDv44BTsOyH18A=
=Lz2s

On Thu, Mar 27, 2025 at 08:46:53PM +0100, Simon Josefsson wrote:

Bill Allombert <ballombe@debian.org> writes:

Dear Debian developpers,

popularity-contest relies on /usr/bin/gpg for encrypting files.
(it cannot use gpgv which does not provide encryption).

Why does it need to encrypt data?

Can't we just send telemetry over https like everyone else?

No we cannot, because the client cannot check certificates, and the server would be required to use a TLS library that support all SSL/TLS protocols
that have been in use since 2013. For reference, we receive more than 6000 weekly submissions from systems that are still running jessie.

I don't think the security properties of a popcon recipient PGP key and
the WebPKI keys is all that different. Both are keys held by others who users have little information about. At least for WebPKI there are
policies and transparency mechanisms in place, but the Debian PGP keys
we have none of that. Which approach results in better outcome is
probably a subjective opinion.

The public PGP key is shipped in the popularity-contest package.
This key is only used to send popcon report, which are assumed to
be of moderate sensibility only (otherwise, do not report!).
A copy of what have been sent is logged in /var/log/.

Any consideration of security needs to include the security of the server.

Cheers,
Bill.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Mar 27, 2025 at 11:05:11PM +0200, Peter Pentchev wrote:

On Thu, Mar 27, 2025 at 07:45:12PM +0100, Bill Allombert wrote:

Dear Debian developpers,

popularity-contest relies on /usr/bin/gpg for encrypting files.
(it cannot use gpgv which does not provide encryption).

By design popularity-contest needs to have as few non-essential dependencies as possible because this skews the result.

It used to be the case that apt depended on gpg, but not anymore.
Is it still the best option ?

I am among the people who have moved towards the Sequoia family of cryptographic tools; in particular, sqop (a Sequoia implementation of
the SOP command-line interface) seems to work:

[roam@straylight ~]$ echo canttouchthis | sqop encrypt /usr/share/popularity-contest/debian-popcon.gpg | pgpdump
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x4E9024B327CBD937
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(63 bytes)
Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))
[roam@straylight ~]$

Hope that helps!

Sent too fast. What I really intended to suggest was to support any SOP implementation (the command-line interface is the same, that's the point) and possibly prefer one as default. See e.g. dpkg-buildpackage for
an example (and a great big thanks, Guillem! the SOP support there made unattended automated signing much easier!).

G'luck,
Peter

--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmflwaYACgkQZR7vsCUn 3xOnYQ/9E4pKUKUozbt2lhGmU5NijvxORMH9BjlW7kMW35mw8oR2Qt/5MlB0MQoy V9eGzV3OVU1xIKYYlov5Y7F3j+PPpdruKQyJ3ePZV4wqCBD5Hu2zaNte3CSasNn3 kh3ATOf2czBZpA+N1asOlSTyvDUDqicGHHbDfpf041RyYNdLXZH1AyLa8EpP5dZ9 6DFCZQqveuEHR+3XbDgliMvUI7X3rKts7mC9DtfRkSUB0bsa5hHbBJHdimyXsA3n UWcNEvChnCvcjN5ppS33LhFiuIaIjCgLuqjL1+6ibAhck/OSRfnNxTMM0FzLWiHS y1LCAPL438FqMjwJdmTXtsRhK55Jxmdv40ihI6FBgZmRUPhP8bx8odJ9z6ZWjaIH UHPbe5sAS+djnY99OTCRLqs1cJvnQBVf2jZ5jtmY7EaK326ynqwpsAGK1XwEkzCk CZqAPsoBJOLk38d+fGwn1k//h2Sz1Zow26vWvZLK8KV7IbVL2pGkFrUsViIA7/yS s2TSvFdcqT2MajPRp3lXKy6aP9Y82HBkWJq9kUNL+rF8zqbGLS2Yl4TSAK5mllDb H++LFCoFnrksJGJlWwKQjKl1xj6MxqxUSUqRPwzjSSD6B3H/lSQ+dySuDeReDBpR JPDDFyDE3T2w9WMbwxYrmXKyjza8HttuPJhzoccdBFlQA10fTec=
=Qvs2

On Thu, Mar 27, 2025 at 11:22:50PM +0200, Peter Pentchev wrote:

I am among the people who have moved towards the Sequoia family of cryptographic tools; in particular, sqop (a Sequoia implementation of
the SOP command-line interface) seems to work:

[roam@straylight ~]$ echo canttouchthis | sqop encrypt /usr/share/popularity-contest/debian-popcon.gpg | pgpdump
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x4E9024B327CBD937
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(63 bytes)
Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))
[roam@straylight ~]$

Hope that helps!

Sent too fast. What I really intended to suggest was to support any SOP implementation (the command-line interface is the same, that's the point) and possibly prefer one as default. See e.g. dpkg-buildpackage for
an example (and a great big thanks, Guillem! the SOP support there made unattended automated signing much easier!).

Could you provide a patch for supporting that ?
(the file is /etc/cron.daily/popularity-contest)

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

--86eOeJ3hGUxL5Y0q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Mar 27, 2025 at 10:46:23PM +0100, Bill Allombert wrote:

On Thu, Mar 27, 2025 at 11:22:50PM +0200, Peter Pentchev wrote:

I am among the people who have moved towards the Sequoia family of cryptographic tools; in particular, sqop (a Sequoia implementation of
the SOP command-line interface) seems to work:

[roam@straylight ~]$ echo canttouchthis | sqop encrypt /usr/share/popularity-contest/debian-popcon.gpg | pgpdump
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x4E9024B327CBD937
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(63 bytes)
Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))
[roam@straylight ~]$

Hope that helps!

Sent too fast. What I really intended to suggest was to support any SOP implementation (the command-line interface is the same, that's the point) and
possibly prefer one as default. See e.g. dpkg-buildpackage for
an example (and a great big thanks, Guillem! the SOP support there made unattended automated signing much easier!).

Could you provide a patch for supporting that ?
(the file is /etc/cron.daily/popularity-contest)

Here you go. Let me know if you'd like me to rename the variables to
uppercase, change the indentation, or change anything else to make it
easier for you to review.

(the patch itself is much clearer if you apply it and then run
`diff -b` against the original)

G'luck,
Peter

--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

--86eOeJ3hGUxL5Y0q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="popcon-sop.patch" Content-Transfer-Encoding: quoted-printable

From 94e4b3314e6be7c1599a4ce6fd160f72a7ac3a22 Mon Sep 17 00:00:00 2001
From: Peter Pentchev <roam@debian.org>
Date: Fri, 28 Mar 2025 00:39:48 +0200
Subject: [PATCH] Also support sqop, rsop, and gosop for OpenPGP encryption

---
debian/cron.daily | 64 ++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 58 insertions(+), 6 deletions(-)

diff --git a/debian/cron.daily b/debian/cron.daily
index 26a3693..68b1f59 100644
--- a/debian/cron.daily
+++ b/debian/cron.daily
@@ -132,22 +132,74 @@ do_sendmail()

/usr/sbin/popularity-contest --su-nobody > $POPCON

-GPG=/usr/bin/gpg
+unset opgp_prog opgp_mode
+for candi

On Fri, Mar 28, 2025 at 12:44:47AM +0200, Peter Pentchev wrote:

On Thu, Mar 27, 2025 at 10:46:23PM +0100, Bill Allombert wrote:

On Thu, Mar 27, 2025 at 11:22:50PM +0200, Peter Pentchev wrote:

I am among the people who have moved towards the Sequoia family of cryptographic tools; in particular, sqop (a Sequoia implementation of the SOP command-line interface) seems to work:

[roam@straylight ~]$ echo canttouchthis | sqop encrypt /usr/share/popularity-contest/debian-popcon.gpg | pgpdump
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x4E9024B327CBD937
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(63 bytes)
Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))
[roam@straylight ~]$

Hope that helps!

Sent too fast. What I really intended to suggest was to support any SOP implementation (the command-line interface is the same, that's the point) and
possibly prefer one as default. See e.g. dpkg-buildpackage for
an example (and a great big thanks, Guillem! the SOP support there made unattended automated signing much easier!).

Could you provide a patch for supporting that ?
(the file is /etc/cron.daily/popularity-contest)

Here you go. Let me know if you'd like me to rename the variables to uppercase, change the indentation, or change anything else to make it
easier for you to review.

(the patch itself is much clearer if you apply it and then run
`diff -b` against the original)

Also, let me know if you'd like me to add support for specifying
the program and the mode (gnupg or sop) in the configuration settings.

G'luck,
Peter

--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmfl1SkACgkQZR7vsCUn 3xPS4Q/+IzctsQDqYAMEbL7PjM0ozCD9L7r0LugAcdri9P8vhHjZ41O62BJS7Tno BVqDvtyirnezqUsNBp5qfB+aM8jKh/lS/VbZiZPlv8MILRUpLDMAcBFLlg80+8Xl kOFReayMNISqEQm9ORsu/tGJgtUVanFyj96BL01n6pO8vo7SxuInJQi1fQW3xcUP YO/36kXVDjbnnkC7rtUEtKLVYorOtf7XgFSpDdzAHsRX2YMDyM2yTNZJSBFXK1p/ znHoFnEtVGrl33qqLf/lmURT9l7PnjSOOH+Wm9KBJjoIVaojM80PVnMlB9uSfaPX 8KR2LaMtNu8cKa9XmUgWyEwibmY6p8MS39/gUKhZgSQkX4BS9cGS7SSXGhk5ayDt 1J173VUiDjVp0DesqoGMqmx4xiPzR/L/31UcZPELOXu3TyPgLqPTr9P4+TdnNXAt OR4fclxwZs3KzQof1ne+b/BXBJR8MbOljAm4BCyLpyl8dkRYWQhSIJ1lvr7neCDj QX425Jl604MafX7leEsC5qSRfwKDu7AoS+6dr6BQ7+fXwHySDFliRPSVMRSC15fo A6LMPq/qNheY1FbdcbJw3Xk97RkzOSZhoMbNekFk+ExIl2Cjjgtkxv8Z0YAkRvIi 7KEdYl2u4T4TV61LDMk3Fzdw/YUz5sH4rwzdoSczTpLEq27fMVc=
=YmO7