Bug#501812: gnome-keyring: Disable graphical dialog when interacting with a shell

Josselin Mouette joss at debian.org
Sun Mar 8 19:30:50 UTC 2009


Le dimanche 08 mars 2009 à 19:52 +0100, Herman Robak a écrit :
> > I have seen what happens when they don’t steal the focus, and believe
> > me, you don’t want that. That, being typing your passphrase in the wrong
> > window.
> 
>  Simple solution: No dialog.  After all, ssh manages to present a 
> prompt in the shell, where it is expected.

And this doesn’t cope at all with the case where the SSH connection is
not initiated from the shell. If it is initiated by gvfs because the
user opened a nautilus window or a file on a remote share, there is no
shell to display the prompt in.

Doing it in the shell only when started from the shell would bring two
other issues:
     1. Inconsistency. The prompting of a SSH key is always done the
        same with the gnome-keyring interface, whatever started the
        connection.
     2. Fragility. If you want the daemon to display something in the
        SSH’s tty, you need to hijack it and put text in it, which is
        prone to breakage.

> This dialog establishes a norm in the user's mind.  The first time 
> the user is surprised, but eventually it is expected.  When a password 
> is needed, a dialog pops up.  It pops up in its own X window.
> 
> What is the problem with that?  People have confirmation bias.  If 
> more things happen surprisingly and out of context, they accept that 
> as they get used to it.  That makes both malicious spoofing and 
> accidential misfiling more likely. 

I’d say quite the contrary, since the dialog is always the same.
Previously, you’d have different prompts depending on where the
connection was initiated (e.g. the shell, nautilus, or seahorse).

Anyway, if you really want to discuss it further, I think you should do
it with upstream. I don’t think we have a good reason here to diverge
with upstream on such a disruptive scale.

> I guess only old farts like me and some security pundits know 
> right away that this UI is fraught with danger, and should not 
> be there if it is redundant.

If you have suggestions on how to *really* improve the interface from a
security standpoint, please bring them to upstream and I’m sure they
will be welcome. But simply removing what we have would actually be a
big regression, in both terms of security and usability.

Otherwise, if you don’t like gnome-keyring, it’s simple: don’t use it.

Cheers,
-- 
 .''`.      Debian 5.0 "Lenny" has been released!
: :' :
`. `'   Last night, Darth Vader came down from planet Vulcan and told
  `-    me that if you don't install Lenny, he'd melt your brain.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090308/f5cfcfb8/attachment.pgp 


More information about the pkg-gnome-maintainers mailing list