[sf-lug] Thanks!: Re: ... list_members -f sf-lug | ...
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Mon Feb 2 16:28:25 PST 2015
Rick,
Excellent, thanks, works perfectly fine. I'll have it automated on the
receiving end fairly soon.
> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] ... list_members -f sf-lug | ...
> Date: Mon, 2 Feb 2015 15:13:38 -0800
>
> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>
>> If you've got that, you can use gpg to decrypt the bit
>> that's encrypted further below - it's simple symmetric encryption using
>> that same password as passphrase for the encryption.
>
> gnupg is my candidate for Worst User Interface Ever for about the tenth
> year in a row. ;-> I can never do diddly squat with it until after
> rummaging around in the man page, doing Web searches, or both. Man,
> what an awful command-line interface.
Yes, gpg CLI is pretty sucky and relatively non-intuitive (and often
rather daunting for newbies ... at least without some hand-holding or a
good tutorial or "kindler gentler" introduction). But at least it is
well documented (man pages and other resources), and despite the
interface, it basically works pretty darn well. And, with some
familiarity, and/or tweaking one's script(s) or setting some config
options (~/.gnupg/gpg.conf), it becomes much more usable. For all its
zillions of options, most of the time one commonly only deals with a
handful or less of them. And for all those other options - which
sometimes one needs ... well, it's basically look 'em up, then use 'em
for a one shot, or add 'em to a script (as I gave example), or drop 'em
in config file (which I've also certainly done).
On somewhat similar note, find(1) and dd(1) are rather gross aberrations
in Unix, etc., regarding "standard" syntax. Granted one wouldn't want
to mess up backwards compatibility ... but seems to me there ought to
come a layering atop such of a much more conformant and intuitive CLI
interface, that could become "standard", with ye olde interface also
supported for backwards compatibility (and perhaps, or if need be, with
the same binary invoked with different basenames (or paths) to give the
differing behaviors ... or to enforce a particular syntax behavior).
Anyway, just my thoughts on that - as I thought about it again some
day(s)/week(s) ago, and think of it again a wee bit more.
> The cron job to dump the roster from Python's 'frozen' storage format to
> ASCII and then (at present) e-mail it runs as the root user, so I guess
> I need to import that sucker (the public key) into root's keyring.
Not necessarily. And much like the mail command shown earlier in
pipeline, that need not be run as root. Can drop privilege, e.g.:
privileged_command | su - unprivileged_user -c 'commands ...'
or if su - gives undesired side-effects (e.g. stuff more intended for
interactive) su unprivileged_user may suffice ... but with possibly
needing some environment tweaks first, or within the start of the
command. So, ... as is typically the case, there's trade-off between
simplicity/convenience and security.
> Fingerprint matches what you sent in unencrypted SMTP, which I Totally
> and Completely Trust. (A joke. Yes, we used a shared secret, so we're
> good.)
Yes, shared secret - low tech start, but can also be usefully utilized
to effectively bootstrap other authentication/security (e.g. when one of
two users hasn't already generated their PGP key for keysigning event,
or the highly common case, a user's initial temporary password).
> Manually running the export:
>
> # /var/lib/mailman/bin/list_members -f sf-lug | gpg --armor --yes
> --batch --trust-model always --encrypt --recipient
> 0x960C4BE648737D4287DC188FE8A55E60878BD8C0 >
> /var/lib/mailman/archives/private/sf-lug.mbox/sf-lug_roster.asc
> #
>
> Seems to have worked. This cron rendition appears to produce the
> expected output, too:
>
> :r /etc/cron.daily/sf-lug-roster
>
> #!/bin/sh
> #
> # sf-lug-roster: Cron script to save out current Mailman mailing list
> # sf-lug's roster in a place SF-LUG officers can get it.
> #
> # Written by Rick Moen (rick at linuxmafia.com)
> # $Id: cron.weekly,v 1.00 2015-02-02 16:06:00 rick
>
> set -o errexit #aka "set -e": exit if any line returns non-true value
> set -o nounset #aka "set -u": exit upon finding an uninitialised variable
>
> /var/lib/mailman/bin/list_members -f sf-lug | \
> /usr/bin/gpg --armor --yes --batch --trust-model always --encrypt
> --recipient \
> 0x960C4BE648737D4287DC188FE8A55E60878BD8C0 > \
> /var/lib/mailman/archives/private/sf-lug.mbox/sf-lug_roster.asc
> That should do it. You be the judge. ;-> Accordingly, I'm removing
> your e-mail as target for older cron job /etc/cron.weekly/mailman-rosters .
>
Thanks, and yes, tested, looks perfectly fine! :-)
I was able to snag the file via http and decrypt it without problem.
[OT]
>> >Bleah Fitzgerald. ;->
>> someone wearing a _The Great Gatsby_ F. Scott Fitzgerald t-shirt
> It was always considered an unfilmable novel (the Redford/Farrow
Unfilmable - as if that would stop Hollywood ...
Unfilmable movie of an unreadable book. ;-)
More information about the sf-lug
mailing list