Thanks for your thorough response! I can see that you thought about this
before and I understand your decision. It is not my intention to engage
in a UNIX philosophy war, but my concerns were about maintainability and
the ability to reason about the program's behavior.
> I'm adamant that stripping away usages or options is not helping
> anyone here, other than supporting a UNIX philosophy war. That's not
> the design of age, it's designed to be picked up by users easily.
My main concerns about those convenience features are, that they
complicate the code and thus make it harder to understand or audit and
that they introduce new threats (e.g. downloading and parsing files from
the internet). I can, however, see that those features make age more
user friendly. I guess if the code is carefully written and reviewed,
they will not cause great harm.
> Overall this is to say "I see your point, but that is not what we are
> looking for in terms of user experience"
I understand and respect your decision.
> > what if a recipient file was named 'age1recipients.txt'?)
> > and in consequence make age more secure (less features means less
> > exploitability).
>
> This can likely be detected and warned at, rather than dropping recipient files.
I think such "conditional interactivity" would be inconvenient for
using age in scripts, but I see that this is a rare edge case.
Slightly off topic: I just discovered that pull request #115 [1]
addresses this issue by requiring the 'file:' prefix for files, which
I find to be good idea. What do you think about including this in the
specification?
> > 2. HTTP recipient files
>
> These are still useful, There are likely some tweaks we can do to warn
> people against pulling insecure key files, but having the tool itself
> fetch this is useful.
Sounds like a good idea to warn the user about pulling files from the
internet, but I think it should be no more than a note in the usage text
or a (non-interactive) warning, to avoid the potential need for a new
command line flag which deactivates interactivity.
> > 3. GitHub recipients
>
> This is just a convenience feature, Often people find themselves in
> the use case of "I know their github, but not their public file
> encryption keys", the github shortcut serves to solve this easily,
> while to some degree admitting that the only git code host that really
> has critical mass is GitHub, of course that may change one day, but
> ideally we are focusing on making lives better now, we can always drop
> or add other macros when it's deemed worth it, but giving this feature
> is slightly obscure and really a edge case handler, I think it's okay
> for now.
Point taken. If HTTP interactivity gets implemented, I guess
implementing this little convenience function is no big change, so it
wouldn't bother me too much.
Best Regards,
Richard Ulmer
[1]
https://github.com/FiloSottile/age/pull/115