I'm sure you're being honest about your intent, but a glancing read of your previous comment sounded categorical, to my ear at least, "And they've all been proven false."
It’s hard from reading what is written how it is intended. Written communication is hard since it doesn’t encapsulate tone, emphasis, and other cues. I read “all” in this case to mean: “most of the commonly espoused objections”.
It's hard to know how these pieces fit together, especially if you have a fuzzy mental-model of the objectives and potential benefits. Is there a gentle introduction you'd recommend?
There are many ways to use PGP just as there are many ways to use openssl or any other cryptographic suite of tools.
For most individuals seeking to establish a long term durable personal keychain they want others to be able to externally trust and verify easily, I would suggest the following, which is more or less what most people in my circles do:
1. Buy a smartcard with touch support such as a Nitrokey 3
2. Ideally buy 3+ backup smartcards at the same time
3. Use Keyfork on AirgapOS booted on a laptop you trust to generate a 24 word mnemonic and split-encrypt it to 3+ smartcards (or write down mnemonic on paper if you lack budget for 3 extra smartcards)
4. If using backup smartcard set, split them up across 3 secure locations, or if using a raw mnemonic put on durable storage such as cryptosteel, and put that in tamper evident storage such as in a vacuum sealed bag with confetti with pictures you have copies of elsewhere.
5. Use keyfork to derive a PGP key and load it into your smartcard
6. Setup forced/locked "touch" requirement policies on all "slots" on your card so you must tap for each use (malware cannot do this, but easy for you to do)
7. Publish public key to keys.ogenpgp.org
8. Publish public key on your own domain name using Web Key Discovery
9. Use keyoxide docs to establish keyoxide profile with every internet platform you control attesting your key fingerprint is yours to make it easy for others form confidence that all of those are you, and your key is yours.
10. Major bonus: use QubesOS and map your smartcard only to an offline vault VM that prompts you for each use, and which security domain on your system wants to use your key, so malware is unlikely to be able to trick you even if your development environment is compromised.
From there you can use your provisioned smartcard with an openpgp smartcard capable ssh agent on your workstation for git signing, git push, ssh to servers, password management with password store, signing artifacts, thunderbird for email encryption, etc.
We plan on writing up a lot more public documentation for this sort of thing as the public docs suck, but we have helped thousands of people with this sort of thing.
Pop into #!:matrix.org or #keyfork:matrix.org if you want any help or advice for specific use cases.
A partially complete set of docs for different threat models is in progress at https://trove.distrust.co
There are many ways to use PGP just as there are many ways to use openssl or any other cryptographic suite of tools.
This is a very bad thing, because it is not in fact the case that there is one cryptosystem equally suited to all these tasks.
That you chose OpenSSL as your corroborating example is especially funny, because there is exactly one thing that OpenSSL is actually well-suited to doing (setting up TLS sessions), and then 20+ years of people getting themselves into grave trouble trying to get that library to do other things.
You spend a lot of energy steering people away from PGP, but what is your alternative to solve the same problems with the same threat models?
What do you want to shift the entire software supply chain security foundation of the internet to use instead and how?
Complaining the existing solution is not good enough is easy. Making things better and educating on current best efforts without creating centralized points of trust is hard.
Did you not read the post I linked upthread? You were quite confident in refuting its claims, so I assume we shared an understanding here.
Update
It looks like you drastically edited your comment after I replied to it, in ways that change the meaning of your prompt. That makes it impossible for us to continue discussing anything.
I hit send too fast before I was actually done typing/thinking because I was going too fast, and you somehow got a response in seemingly instantly. My bad on this one.
Oh THAT is why you are steering people away from OpenPGP, gotchu. I have read it a long time ago. I remain to be convinced. The blog post just reeks of "I can't use it, too complex for me therefore it sucks". Yeah, it can be misused, I do not deny that.
Isn't this more of a theoretical problem, rather than a practical one? In what situations do you want people to discover your key? You create a key pair for Github, upload the public key, and you're done; you can securely communicate with Github. Nobody ever has to discover it. Do they?
> In what situations do you want people to discover your key
Just to name some of the most common use cases I have:
1. When people in my orgs want to encrypt sensitive information to me, e.g in encrypted password databases over git.
2. When prospective new clients or security researchers want to encrypt sensitive requests to me via email. Have some in my inbox right now from today.
3. When people want to verify that commits or code reviews I signed on security critical software were really signed by me, and not masquerade malicious code as mine in a rebase, etc.
4. When people want to verify that public reproducible builds of artifacts I maintained are built by multiple maintainers.
These use cases all rely on a well published set of public keys shared with the public in ways with sufficient history and signatures so no one can impersonate me or other maintainers, or make it possible to easily trick people to encrypting data to keys that are not really ours.
I sign 100% of my commits, and 100% of all artifacts I maintain etc. Anyone claiming to be me on anything important without signatures from my very well established and easy to verify public keys, are not me.
A PGP key is the only standardized cryptographic passport for the internet and if you don't attach your work to an easily verifiable key you are one compromised account away from having your online identity used for supply chain attacks.
All major linux distributions and the core infrastructure on the internet is anchored in the PGP keys of few thousand people that put in the work to maintain well published keychains.
The only alternatives anyone have proposed are use Fulcio and let Google sign everything for you as a single point of failure for the internet. Hard pass.
Meanwhile with solutions like keyoxide, anyone can form confidence my key is mine trivially without relying on a central party:
> A PGP key is the only standardized cryptographic passport for the internet
I think this rather gives the game away.
For people for whom PGP is important, their PGP key is their identity. And there is a community of people like this. But it's small--I'd guesstimate maybe a million people or so at best, a true rounding error in terms of the internet.
For most people, however, their online identity is generally tied around one of a few core providers. The de facto identity for open source is GitHub, for better or worse. Do I like that we've moved to centralized identity management? Not particularly. But it is telling that in the shift towards identity management as a concept (e.g., OAuth2) in the past decade, PGP hasn't played a factor.
And in all of your passionate defenses of PGP, where you've complained that things don't support the PGP identity model, you've never really addressed the issues that a) most people don't have a PGP identity, b) PGP identity doesn't provide any practical value over existing identities, or c) things already work well enough with other identity models, that PGP identities don't integrate well with.
I do indeed strongly believe decentralized identity is critical to free internet. I cannot imagine any good outcomes from trusting a small handful of corporations that answer to a small handful of governments to decide what identity and access mean online.
But to your point, not nearly enough people have a concept of a desire to want digital sovereignty. Ownership of their own identity in a way a company has no control of.
And the ones curious about this concept, find the barrier to explore it impossibly high. That is why I have been so convinced in recent years that UX and social dynamics matter in cryptography as much as the math behind it.
That is why we put so much thought into keyfork. We realized it has to be one or two commands tops to be up and running with a new keychain or no one is going to do it.
This is what I mean when I suggest people who use PGP are LARPing. It's perfectly reasonable to prefer decentralized systems to centralized ones or to think that it's critically important to the future of the Internet that we pursue decentralization. But cryptosystems need to function when lives are on the line; the preference of an system with inferior, flawed cryptography, in pursuit of a philosophical goal about Internet governance, betrays the fact that the security you're after is only a secondary goal.
You see all sorts of different variants of this argument. People cling to PGP because they believe SMTP email needs a future. What does that have to do with protecting the life of a user? Nothing. People cling to PGP because of concerns about open source. Same issue. Not wanting to run things on their phone. Same issue.
Do you use Firefox on Linux, too? 4K Videos freeze so often for me, I don't even try watching them online, and always just download them with yt-dlp. It doesn't bother me enough to give Chrome a try, but maybe that'd make a difference.
I do too use Firefox on Linux, 4K videos seems to work fine for me, but I've never been able to download higher than 1080p with yt-dlp, seems it's just not available without DRM as far as I can tell, so now I'm curious how exactly you've been downloading that?
yt-dlp + 4K works fine for me. The only special thing I remember doing is adding the impersonate feature (which it prompts you to do if it needs it). In other words, instead of `uv tool install yt-dlp`, run `uv tool install yt-dlp[default,curl-cffi]`
The version in the Arch repos does not include the impersonate feature.
Linux can exist because there is a huge industry producing inexpensive open hardware. If that industry transitions to producing only locked down hardware, it will hurt Linux and all open source software. Be careful what you wish for.
not really, vim's visual mode always extends selection, while in Helix the base mode selects with your base commands so you can act on the selection, but it doesn't extend to the next one. For example, moving by 2 words only selects the 2nd one, not both like in Visual mode.
(although in this specific case of selecting everything this difference isn't visible)
The details are different, but they're both select-then-act. Admittedly, I've never used Helix, but I don't see how what you've described is a game changer. Surely, at least sometimes, what you want to do is exactly what visual-mode provides: explicitly select a region, using the combined movement of any available operator, and then act on that region.
Surely you understand the difference between sometimes and all the other times? This is a game changer for all those other times. Otherwise helix has a similar extending selection mode like visual
> This is a game changer for all those other times.
Is it though? I honestly don't understand what the big deal is. The original contention was that the benefit was in offering selection-then-action, unlike Vi. And then when it's pointed out that Vim actually offers selection-then-action as well, there is a new assertion that it's the particular WAY that Helix offers selection-then-action that is key.
To my mind, selection-then-action is provided by Vim if you want it. Maybe it's a few extra keystrokes sometimes, because it's not the default mode, as it is in Helix, but the main concept (ability to think in object-then-verb) is available in both, if that's the way you prefer to think.
> I honestly don't understand what the big deal is.
Honestly, you't not even trying to
> To my mind, selection-then-action is provided by Vim if you want it.
Ok, let your mind be content with ignoring the difference that I've just explained. By the way, you can also trivialize vim as "it's just a fewer keystrokes sometimes to do the same as in notepad, what's the big deal?"
Why do you think that? I've been listening to what you say. But again, you haven't exactly proven that operating on the single-most-recent movement (which as I understand it, also defines the selection) is the thing that you want to operate on the most often, rather than the convenience of being able to use the flexibility of multiple movements to define a selection.
Anyway, many people do claim that an editor isn't the most important thing, and that thinking takes a lot more time than the operation itself, and that therefore Notepad would often be sufficient. What those people don't really appreciate is the ability to operate on multiple lines at once, not a single selection, but across vast swathes of the text being edited. When your thinking is done, and needs to be applied to every single line of the file, you'd much rather have Vim than Notepad. But in such a case Helix wouldn't offer much, if any, advantage over Vim.
You seem emotionally attached to this in a way that my skepticism provokes, so we can drop the debate. People should use whatever they prefer; no harm done.
> I wrote a long comment but refreshed by accident before I could post it...
So I was going to write a commiseration and a screed about what a colossal UI failure this is, that you can so easily lose such work. But FWIW, before posting I searched to see if there are any extensions to address this. There are several for Chrome, but on Firefox I ended up trying "Textarea Cache", and sure enough if you close the page, and reopen it later, you can click the icon to recover your words.
What about aliens? When little green critters finally arrive on this planet, having travelled across space and time, will you reject their intelligence because they lack human biology? What if their biology is silicon based, rather than carbon?
There's really no reason to believe intelligence is tied to being human. Most of us accept the possibility (even the likelihood) of intelligent life in the universe, that isn't.
Sure, there's little doubt that our biology shapes our experience. But in the context of this conversation, we're talking about how AI falls short of true AGI. My answer was offered in that regard. It doesn't really matter what you think about human intelligence, if you believe that non-human intelligence is every bit as valid, and there is no inherent need for any "humanness" to be intelligent.
Given that, the constant drumbeat of pointing out how AI fails to be human, misses the mark. A lot of the same people who are making such assertions, haven't really thought about how they would quickly accept alien intelligence as legitimate and full-fledged... even though it too lacks any humanity backing it.
And why are they so eager to discount the possibility of synthetic life, and its intelligence, as mere imitation? As a poor substitute for the "real thing"? When faced with their easy acceptance of alien intelligence, it suggests that there is in fact a psychological reason at the base of this position, rather than pure rational dismissal. A desire to leave the purely logical and mechanical, and imbue our humanity with an essential spirit or soul, that maybe an alien could have, but never a machine. Ultimately, it is a religious objection, not a scientific one.
Alien or syntethic life will have to go through similar challenges to those that shape human life, human intelligence and our consciousness. No text prediction machine, no matter how complex or "large", has to change its evolving environment and itself, for example.
What you are talking about is experience/knowledge, not raw intelligence.
It has been proven that a Turning Machine and Lambda Calculus have the exact same equivalent expressiveness, that encompasses the _entire set_ of computable functions. Why are you so sure that "text prediction" is not equally expressive?
I'm all ears if you want to explain how you have a magic soul that is too important and beautiful to ever be equalled by a machine. But if intelligence is not equivalent to computation, then what is it? Don't take the easy way out of asking me to define it, you define it as something other than the ability to successfully apply computation to the environment.
Was Hellen Keller not intelligent because she lacked the ability to see or hear? Is intelligence defined by a particular set of sense organs? A particular way of interacting with the environment? What about paraplegics, are they disqualified from being considered intelligent because they lack the same embodied experience as others?
Whenever you give someone kudos for being brilliant, it is always for their ability to successfully compute something. If that isn't what we're discussing when we're talking about intelligence, then what are we discussing?
Yes, put words in my mouth and then ask me to defend them. Clearly I expressed support for the view that humans have a "magic soul that is too important beautiful to ever be equalled by a machine"...
On the other hand, you are clearly stating that intelligence is computation. But you're right, it would be too easy to ask you to define what any of those words mean AND to back that claim.
I've done my best to express a logical argument for my assertions. I've defined what I mean by intelligence, and given examples of humans who lack major senses or physical capabilities, and yet are still considered intelligent; attempting to argue that intelligence is not tied to any physical characteristic, but is rather a dexterity and facility with computation. I haven't yet grokked what you're actually arguing, though. You just seem to dislike the idea of intelligence being compared to computation, but I don't know what you're offering as an alternative.
reply