On Thu, 2024-01-11 at 14:47 -0800, Linus Torvalds wrote: > On Thu, 11 Jan 2024 at 14:36, Linus Torvalds > <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > Stop making a bad pgp experience even worse - for no reason and > > absolutely zero upside. > > Side note: even getting gpg to show the subkeys was just an exercise > in frustration. > > For example, I'd expect that when you do > > gpg --list-key E76040DB76CA3D176708F9AAE742C94CEE98AC85 > > it would show the details of that key. No, it does not. It doesn't > even *mention* that key. You installed the special "make it even harder to use" version didn't you? Because for me (gpg 2.4.3) it gives jejb@lingrow:~> gpg --list-key E76040DB76CA3D176708F9AAE742C94CEE98AC85 pub rsa2048 2011-09-23 [SC] [expires: 2026-03-11] D5606E73C8B46271BEAD9ADF814AE47C214854D6 uid [ultimate] James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> uid [ultimate] James Bottomley <jejb@xxxxxxxxxxxxxxxxxx> uid [ultimate] James Bottomley <jejb@xxxxxxxxxx> uid [ultimate] [jpeg image of size 5254] uid [ultimate] James Bottomley <jejb@xxxxxxxxxxxxx> uid [ultimate] James Bottomley <jejb@xxxxxxxxxxxxxxxxxxxxx> sub nistp256 2018-01-23 [S] [expires: 2024-01-16] sub nistp256 2018-01-23 [E] [expires: 2024-01-16] sub nistp256 2023-07-20 [A] [expires: 2024-01-16] Which shows all the subkeys and their expiration dates. I admit it doesn't show the fingerprints and you have to know you've requested a subkey and it's showing the master record. > Because this is gpg, and the project motto was probably "pgp was > designed to be hard to use, and by golly, we'll take that to 11". > > And no, adding "-vv" to get more verbose output doesn't help. That > just makes gpg show more *other* keys. > > Now, obviously, in order to actually show the key I *asked* gpg to > list, I also have to use the "--with-subkey-fingerprint". OBVIOUSLY. > > I can hear everybody go all Homer on me and say "Well, duh, dummy". > > So yes, I realize that my frustration with pgp is because I'm just > too stupid to understand how wonderful the UX really is, but my point > is that you're really making it worse by using pointless features > that actively makes it all so much less usable than it already is. OK, OK, I can do longer expiration dates. > Subkeys and expiration date make a bad experience worse. I can't really fix the subkeys bit. The reason I have a signing subkey is because on my laptop it's TPM resident but with the authorization password in gnome-keyring, so I unlock it on login (and so, for me, it just works for all the day to day signing operations). My master key is also TPM resident but with a different password that doesn't unlock on login to try to keep it more secure and because I only need to use it when extending expiration dates or signing someone else's key. > Yes, I blame myself for thinking pgp was a good model for tag > signing. What can I say? I didn't expect people to actively try to > use every bad feature. Heh, well to paraphrase Churchill: gpg is the worst key management system ... except for all the other key management systems out there ... James