Tom Morris

It's been most interesting watching the rather strange larval development of the various aspects of the Mozilla suite (formerly Netscape Communicator) into the separate pieces. I finally tried out Sunbird today.

Most of it isn't particularly interesting: it's an iCal client which can use the CalDAV protocol to subscribe to remote calendars. But there is one thing which makes it amazing: the Provider for Google Calendar plugin. How does this sound: a free, open source, cross-platform calendaring system that syncs with Google Calendar, and store those events for when you aren't connected to the cloud? Cool!

If I were in charge of the Google Calendar team over in sunny Mountain View, I'd get some of the engineers to start working on Sunbird - getting deep integration, cleaning the UI up a bit and so on. And Apple should really add a plugin architecture to iCal. Hopefully Sunbird will be a catalyst for nice lightweight, cloud-aware calendaring apps, nailing another few nails into the creaking coffin of Microsoft Outlook.

Last night, before going out for post-conference merriness after OpenTech 2008 (a really cool event, btw), I took part in a bit of a key-signing party. Key-signing has been made fun of on XKCD (leading to reader confusion). While I was there, David McBride showed me a tool on Debian Linux called "Caff" - it's up on the web here, described as a CA (as in Certificate Authority) "fire and forget" tool.

I looked at it, but it was a jumble of highly mind-bending Perl code, so I decided to rewrite it. In Ruby. For the Mac. After a lot of frustration, it's done. And I present KeyRub. KeyRub takes a space-separated list of GPG short-hexes (mine is "A6A4F54E"), goes online, grabs the key, shows you the fingerprint of the key, then presents you with the prompt to sign the key. If you choose to sign the key, it then makes an encrypted version of the key with your signature available for each of the listed e-mail addresses and mails them out. This is a much quicker process than sending random data out and then waiting for a response, then signing, then publishing. It also means that the signee can choose to publish your signature only if they want to.

In addition, because storing e-mail server passwords in plaintext just sucks, I have used the "security" command line utility (which is a command-line interface to the OS X Keychain - and boy is it easier to use it this way than faffing around with Python or Ruby Objective-C bindings) to get my Gmail password out. Obviously, this won't work on non-OS X systems. And if this script wasn't built only for my own usage, I'd make it so that it would extract my Gmail username from the Keychain also. But that isn't likely to change too often. Hint: if you are building command-line-based scripts that interact with servers or APIs, use the Keychain on OS X. It rocks.

What is all this key-signing stuff about? Well, you should start using GPG. Even our supposedly liberal, freedom-respecting, Western governments are screwing around with our privacy, and GPG allows you to fight back. Use it to encrypt your e-mails and files, as well as do things like sign software (this is tremendously useful - if you make a piece of software, signing it means that others can redistribute it, safe in the knowledge that others can check its veracity). If you are in London, I am often at geek events, and am always willing to sign keys - my policy is I accept only government-issued IDs (passport or driving licence) with discretionary cultural name variability (ie. if your passport says "Thomas" but your key says "Tom", that's fine - if your passport says "Thomas" and your key says "31337h@x0rZftw!1!", think again).