Daniel Kahn Gillmor | 27 Nov 22:22 2014

Accepted monkeysphere 0.37-2 (source all) into unstable

Format: 1.8
Date: Thu, 27 Nov 2014 14:52:41 -0500
Source: monkeysphere
Binary: monkeysphere
Architecture: source all
Version: 0.37-2
Distribution: unstable
Urgency: medium
Maintainer: Jameson Rollins <jrollins <at> finestructure.net>
Changed-By: Daniel Kahn Gillmor <dkg <at> fifthhorseman.net>
 monkeysphere - leverage the OpenPGP web of trust for SSH and TLS authentication
Closes: 635711
 monkeysphere (0.37-2) unstable; urgency=medium
   * patch from upstream: log() should consume all stdin when not given a
     message argument.  Closes: #635711
   * bumped Standards-Version to 3.9.6 (no changes needed)
 bedc9099117cd3fa924046f71c387911e710ab3e 2102 monkeysphere_0.37-2.dsc
 b6f2a871ca083a7cc685a3087648454f36c0b30f 5412 monkeysphere_0.37-2.debian.tar.xz
 4960dbf784d460eca783d229b6f9787afba8a51e 75622 monkeysphere_0.37-2_all.deb
 bebb122067f615b1a674352ae89d242cc0fa57039df9b3f93982400f32f8b4df 2102 monkeysphere_0.37-2.dsc
 f8ad373d7655c08f88ec03ba6e85de44367d5f5d373385ce8f630f0945a19d2b 5412 monkeysphere_0.37-2.debian.tar.xz
 2f20ba8562a4d27973b176ea94a1508e2ecbc6aa5418fdb1152cad881265bc26 75622 monkeysphere_0.37-2_all.deb
 86878925c23c2541661fc3a8c71ab8db 2102 net extra monkeysphere_0.37-2.dsc
(Continue reading)

Daniel Kahn Gillmor | 27 Nov 01:38 2014

Bug#635711: [PATCH] Always consume stdin when log is called without a message argument

See the discussion about this in https://bugs.debian.org/635711

I'm hoping this will resolve the intermittent SIGPIPEs plaguing
monkeysphere's postinst.

I'm still unable to reproduce the problem.  If people who can
reproduce the problem could try this patch and report back if it fixes
things for them, that would be great.
 src/share/common | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/share/common b/src/share/common
index e377ff3..2ea097e 100755
--- a/src/share/common
+++ b/src/share/common
 <at>  <at>  -38,6 +38,7  <at>  <at>  log() {
     local output
     local alllevels
     local found=
+    local written=

     # don't include SILENT in alllevels: it's handled separately
     # list in decreasing verbosity (all caps).
 <at>  <at>  -50,6 +51,9  <at>  <at>  log() {

     # just go ahead and return if the log level is silent
     if [ "$LOG_LEVEL" = 'SILENT' ] ; then
+        if [ ! "$2" ] ; then
+            cat >/dev/null
(Continue reading)

Daniel Kahn Gillmor | 25 Nov 22:05 2014

Bug#635711: further analysis of monkeysphere.postinst failures

Control: tags 635711 + unreproducible help

I'm trying to get my head around the problem reported in #635711, which
i continue to be unable to reproduce by hand.

So far, reading the logs provided, it seems that we're getting an error
141 returned from within the transition scripts for
"monkeysphere-authentication setup".

The proposed edits thus far have been to remove or avoid invoking the
transition scripts during the postinst.

However, after invoking the transition scripts, the postinst itself
calls "monkeysphere-authentication setup" directly.

So removing the transition scripts seems unlikely to resolve the issue.

Looking further, shell return codes when aborting on a signal are are
usually 128 + the signal.  141 is 128 + 13, and 13 is SIGPIPE.

The error happens in line 96 of src/share/ma/setup:

    printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust 2>&1 | log verbose

looking at the logs posted by Andreas [0], it looks like of these three,
log verbose has been invoked (and already completed), and of course
printf is a bash builtin.

gpg_sphere is a shell function but according to the set -x it isn't even
getting invoked before the SIGPIPE hits.
(Continue reading)

Debian testing watch | 25 Nov 17:39 2014

monkeysphere REMOVED from testing

FYI: The status of the monkeysphere source package
in Debian's testing distribution has changed.

  Previous version: 0.37-1
  Current version:  (not in testing)
  Hint: <http://release.debian.org/britney/hints/auto-removals>
    Bug #635711: error on install

The script that generates this mail tries to extract removal
reasons from comments in the britney hint files. Those comments
were not originally meant to be machine readable, so if the
reason for removing your package seems to be nonsense, it is
probably the reporting script that got confused. Please check the
actual hints file before you complain about meaningless removals.


This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

Jerome Charaoui | 24 Nov 05:24 2014

OpenSSH and multiple paths for AuthorizedKeyFiles


This is an attempt to update the website documentation to reflect the
fact that OpenSSH now supports multiple paths for the AuthorizedKeyFiles

I also believe that with such a configuration, it should be recommended
to set MONKEYSPHERE_RAW_AUTHORIZED_KEYS to 'none' in order to avoid key

-- Jerome

fr33domlover | 30 Apr 00:21 2014

Usage with mail server


This is my first post here. I run an SSH server and a web server and I'm
very interested in using a peer-to-peer decentralized natural way to
handle trust.

Moneysphere already works with HTTPS and SSH as described in your
website, but I didn't find any information about:

- XMPP server (as far as I know, none exists yet but it's WIP)
- mail server

I'm going to run a mail server (first just IMAP, later I'll add SMTP)
and I'd like to not use an SSL certificate from a centralized source
which requires a lot of my private information for spying me and
verifying my identity etc.

Does moneysphere support mail serving?

I can imagine it may work for sending mail to the user, but what happens
if an SMTP server wants to send email to my IMAP server? How does the
SMTP server send me encrypted data if it cannot recognize my OpenPGP
based "certificate"?

If there's any approach waiting to be implemented or used, I don't mind
pioneering. Just tell me please how it works. Also, maybe I can help add
monkeysphere support to dovecot if it's not too difficult.

Thanks in advance!
(Continue reading)

micah | 21 Apr 01:41 2014

Re: Archlinux Package

Profpatsch <mail <at> profpatsch.de> writes:

> On 14-04-10 06:21pm, Profpatsch wrote:
>> Since you are linking to a git package which is broken atm:
>> There is a package using the official releases at
>> https://aur.archlinux.org/packages/monkeysign/
> And I just became maintainer, so it’s up-to-date now, too.

If you would like to update the link on the page, the site is running
ikiwiki, a patch or a git remote would make the update real easy!

Gabriel Pérez-Cerezo | 30 Mar 13:23 2014

Monkeysphere integration in Links2


I have changed my plans. I have stopped working on w3m and now I'm working on Links2,
as it has much more features and is more widely used. I will write you when it is

Best wishes,


Gabriel Pérez-Cerezo Flohr
Website: http://gpcf.eu  E-mail: gabriel <at> gpcf.eu
GPG Key: D353EC69 (get it from http://gpcf.eu/key.asc)

Gabriel Pérez-Cerezo | 23 Mar 17:47 2014

libmsv licensing


as you may know, I'm working on a fork of the w3m browser which includes monkeysphere support. I have now got a
problem with the licensing. Libmsv is licensed under the GPLv3 and w3m under the MIT license, but as it is
linked to OpenSSL, it would need a linking exception, so I have to either link the GPL code from GPL+Linking
exception code or rewrite the entire SSL code using GNUtls.

Do you think that it is better to ask someone for a linking exception or rewrite the SSL code using GNUtls?


Gabriel Pérez-Cerezo Flohr
Website: http://gpcf.eu  E-mail: gabriel <at> gpcf.eu
GPG Key: D353EC69 (get it from http://gpcf.eu/key.asc)

isis agora lovecruft | 3 Jul 16:50 2013

gnupg-1.1.7, a Python GnuPG wrapper, is released on PyPI

Announcing the release of a more secure Python wrapper for GnuPG on PyPI.

About this release

This is the first stable release of a module (named 'gnupg' on PyPI)[0], which
originated as a fork of python-gnupg.[1] Several problems were found with the
upstream version, including a security vulnerability triggered by unvalidated
user input, and when used within networked code, can lead to remote arbitrary
code execution. Full notes of the audit can be found in the docs/ directory of
the git repo [2] and as orgmode→html [3] in the online documentation.

The new version [4] is incompatible with the old version, though the changes
required to upgrade for software depending on the old version should be
slight. Not to mention, the module is now extensively documented,[5] and
developed openly. It was downloaded nearly 1000 times on the first day it was
uploaded to PyPI.

To install:
$ [sudo] pip install gnupg

[0]: https://pypi.python.org/gnupg/
[1]: https://code.google.com/p/python-gnupg/
[2]: https://github.com/isislovecruft/python-gnupg/raw/master/docs/NOTES-python-gnupg-3.1-audit.org
[3]: http://pythonhosted.org/gnupg/NOTES-python-gnupg-3.1-audit.html
[4]: https://github.com/isislovecruft/python-gnupg/
[5]: https://pythonhosted.org/gnupg/

(Continue reading)

intrigeri | 8 Feb 10:14 2013

Bug#677565: [monkeysphere] Bug#682518: Bug#677565: RC bugs in msva-perl


Daniel Kahn Gillmor wrote (08 Feb 2013 05:48:55 GMT) :
> I've just pushed a proposed upstream msva-perl/0.8.1 targetted bugfix
> tag to git://lair.fifthhorseman.net/~dkg/msva-perl, and a "wheezy"
> branch that uses that and targets testing-proposed-updates.

Excellent! Thanks a lot.

> I've tested 0.8.1-1 on a wheezy system and it works for me.

I'm going to test it during a few days.

> I plan to upload it to t-p-u sometime tomorrow or the next day
> unless i hear from anyone that it didn't work for them.

Looks like a good plan, but I suggest waiting a bit longer for:

  1. You and someone else (I volunteer) to try the proposed package
     for a few days: given t-p-u uploads have no time to be tested in
     sid, we should be extra careful about them.
  2. A pre-approval from the release team, which is required by the
     current freeze policy before uploading to t-p-u.


  | GnuPG key  <at>  https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint  <at>  https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

(Continue reading)