Bug#501812: gnome-keyring: Disable graphical dialog when interacting with a shell

Sun Mar 8 18:52:56 UTC 2009

On Sun, 08 Mar 2009 17:49:25 +0100, Josselin Mouette <joss at debian.org> wrote:

> Le dimanche 08 mars 2009 à 16:00 +0100, Herman Robak a écrit :
>> Modal dialogs that take focus away from _another_ application
>> are disruptive, and they can lead sensitive data to the wrong
>> place by accident.  We need less of them, not more.
>
> Modal dialogs that take the focus to go directly into the workflow
> you’re currently in (like, asking your SSH passphrase when you are
> connecting by SSH to a host) are not only harmless, they are *desired*.

 I agree that if a dialog pops up for this purpose, it needs to grab 
focus.  I did not mention focus.  My beef is with the dialog.

> I have seen what happens when they don’t steal the focus, and believe
> me, you don’t want that. That, being typing your passphrase in the wrong
> window.

 Simple solution: No dialog.  After all, ssh manages to present a 
prompt in the shell, where it is expected.

When the user has just typed ssh name at host <enter> into the shell, 
the line below that will be the user's locul of attention.

>> Many users may have wished for those features, but this
>> may be a good place to say "no you don't want that!"
>
> Please come up with a better argumentation than “DO NOT WANT”. 
> We are not on a troll forum.

 Please.  I am trying to present a rational argument that this 
feature, is not an improvement, but rather fraught with new risks.  
If you think it was too verbose, feel free to say that.

>> GUIs are supposed to be user _friendly_.  That does not
>> just mean easy and convenient, but safe.  Especially when
>> it comes to private keys and passphrases.  If they turn
>> out to be _less_ safe against user error, they fail to
>> maintain the GUI comfort zone, their raison d'être!
>
> I wonder what drugs you are on. The focus is stolen *precisely* for
> safety reasons. Typing something else in place of your passphrase is, at
> worse, annoying. Typing your passphrase in the wrong window can be a
> loss of sensitive data.

 As I said, the focus grabbing is not the main point.

> Unless you can propose a better behavior to manage SSH keys 

 Simple: Leave it to the shell, which the user already interacts with.

> based on real use cases and sensible analysis, 
> please refrain from such misinformed rants.

Insults aside, I'll give it a shot:

This dialog establishes a norm in the user's mind.  The first time 
the user is surprised, but eventually it is expected.  When a password 
is needed, a dialog pops up.  It pops up in its own X window.

What is the problem with that?  People have confirmation bias.  If 
more things happen surprisingly and out of context, they accept that 
as they get used to it.  That makes both malicious spoofing and 
accidential misfiling more likely. 

To summarise:
1) Redundant, the shell can present the prompt
2) Detracts from the context, see 1)
3) Part of a more general problem of "floating" nags
4) Lowers contrast between expected/surprising benign/anomalous 

Ordinary novice users are hurt by this, too.  But they may 
already be conditioned, so they are not annoyed much, even 
if they are more exposed or disrupted.

I guess only old farts like me and some security pundits know 
right away that this UI is fraught with danger, and should not 
be there if it is redundant.

I'm sorry if you found my style grating.  I know very well that 
pissing people off is not the best way to convince them.

-- 
Herman Robak