File: TODO

package info (click to toggle)
monkeysign 1.1~bpo70%2B1
  • links: PTS
  • area: main
  • in suites: wheezy-backports
  • size: 272 kB
  • sloc: python: 1,905; makefile: 8
file content (91 lines) | stat: -rw-r--r-- 3,749 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Release process
===============

 * make sure tests pass (`./test.py`)
 * update version in `monkeysign/__init__.py` and run `dch -i -D unstable`
 * signed and annotated tag (`git tag -s -u keyid x.y`)
 * build Debian package (`git-buildpackage`)
 * install and test Debian package (`dpkg -i ../build-area/monkeysign_*.deb`)
 * upload Debian package
 * push commits and tags to the git repository
 * add announcement on website and mailing list <monkeysphere@lists.riseup.net>

2.0 blockers
============

The following needs to be fixed before 2.0 is released.

 * properly handle exceptions in GTK UI
 * usability issues:
  * don't popup - because we can't control location - besides popups are
    evil
  * merge the two monkeyscan classes, and cleanup the GTK UI code
  * move video dropdown in preferences
  * add explanations on what will happen, maybe pic of two laptops
  * move key selection an identity menu
  * label the two frames to explain what the camera and qrcode does
  * drop the save/print buttons
  * there shouldn't be a question "sign all user IDs?" -- there should
    just be a list of user IDs presented with checkboxes next to them all
    pre-checked by default and the user can un-check the ones they want
 * gpg-agent should be started if it's not already
 * merge with python-gnupg (see below)
 * make all options accessible from the GUI (preferences? see
   configparser and json modules)
 * make sure the GUI and CLI have feature parity, for example right
   now the GUI can't do local signatures without a commandline flag
 * maybe then: merge in a single "monkeysign" binary
 * if not merging: harmonize error handling in gpg.py, see the file
   docstring for more info

Other wishlist items
====================

 * reuse tactical tech's security in a box PGP training material for
   documentation
 * having a windows port would be important for wider adoption
 * encode a "can you keep my picture" in the qrcode - the code would be
   advisory (as the remote implementations could simply not respect the
   setting) - but if it is set, we should avoid keeping a picture of the
   person associated with the qrcode, maybe by blurring out the image
   outside of the qrcode
 * make a batch mode: pictures are recorded in a gallery and then can be
   processed one at a time
 * recognise my own fingerprint "yep, that's me!"
 * complete keyring management?
 * key generation

The merge question
==================

This software has a primitive GPG Python API that duplicates the work
of at least two other libraries. The `pythong-gnupg` library is
particularly similar and communication was started to consider the
possibility of merging. This section details how we should deal with
this.

 * decide to merge or split from pythong-gnupg (done: we merge)
   - for merge arguments:
     - gnupg has more history and authors
     - has more features (see below)
     - avoid project proliferation (already 4 python APIs to gpg)
     - may be less work
   - against merge arguments:
     - needs to rewrite monkeysign again (fairly easy)
     - i just spend about 20 hours in two days on this project
     - python-gnupg doesn't seem to have a VCS
     - hosted on code.google.com, BSD license (minor)
 * apply those improvements to python-gnupg
   - add key signing support
   - split the "context" and "keyring" classes
   - port monkeysign to python-gnupg
   - make sure python-gnupg is secure (ie. that it doesn't use
     popen([...], shell=True), see below

It seems that we have a new upstream for python-gnupg that resolves
most problems documented here:

https://github.com/isislovecruft/python-gnupg

We are in contact with upstream and they are open to merging in
changes, so we will go in that direction.