Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200])
	by mail-b.sr.ht (Postfix) with ESMTPS id B756FFF11B
	for <~gpanders/passage@lists.sr.ht>; Wed,  2 Dec 2020 15:56:36 +0000 (UTC)
X-Originating-IP: 98.32.4.57
Received: from localhost (c-98-32-4-57.hsd1.nm.comcast.net [98.32.4.57])
	(Authenticated sender: greg@gpanders.com)
	by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id C34D820016;
	Wed,  2 Dec 2020 15:56:34 +0000 (UTC)
Date: Wed, 2 Dec 2020 08:56:31 -0700
From: Gregory Anders <greg@gpanders.com>
To: Robin Opletal <me@robinopletal.com>
Cc: ~gpanders/passage@lists.sr.ht
Subject: Re: Motivation for the project
Message-ID: <X8e5E3zzXngB1EnG@s1034043>
Mail-Followup-To: Robin Opletal <me@robinopletal.com>,
	~gpanders/passage@lists.sr.ht
References: <C7IC3WOFWGDY.21YWZPD23MGFI@desktop-pc>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
In-Reply-To: <C7IC3WOFWGDY.21YWZPD23MGFI@desktop-pc>

On Wed, 02 Dec 2020 at 02:29 PM, Robin Opletal wrote:
>Hi,
>
>I wanted to ask if someone would be nice enough to elaborate on the
>advancments that this project brings over pass itself - are there some
>real benefits to passage over pass as far as security goes?
>
>Thanks!
>Robin

Hi Robin,

I expect that this will probably be a common question, so I do intend to 
add a "Motivation" section to the README or documentation at some point 
once I get the basic functionality stable.

My primary motivation for starting this project was initially runtime 
speed. I don't know if this is a common issue for others, but pass was 
often taking between 1.5-2 seconds to retrieve a single password. This 
just felt too slow to me and was particularly noticeable when using pass 
to retrieve credentials at program startup (for example, mutt uses pass 
to retrieve my IMAP password, and this was adding ~2 seconds to mutt's 
startup time).

Part of this is due to gpg itself. My unscientific analysis shows that 
gpg itself takes just under 1 second to decrypt a file. The remainder of 
the latency was solely due to pass (likely due to the fact that it's 
written in shell script).

My original intent was to simply "rewrite" pass in Rust with the dual 
intention of improving runtime performance as well as finally having an 
excuse to learn Rust. However, shortly after starting I realized that 
this was also an opportunity to take advantage of some of the 
up-and-coming encryption tools outside of gpg. I personally have no love 
lost for gpg, I find it complex and annoying to use. I think age 
(pronounced ah-GAY) is a well-designed, Unix like encryption tool with a 
lot of potential, and it just so happens to have a Rust implementation 
:)

The results so far are quite promising. Where pass takes anywhere from 
1.5-2 seconds to retrieve a password, passage can do it in about 12 
milliseconds. That's at least a 125x improvement in runtime performance.  
By using age instead of gpg, there's also no more futzing about with 
gpg's UX (this may or may not be appealing to you depending on how you 
feel about gpg, of course).

I hope that answers your question satisfactorily. Let me know if I can 
elaborate on anything.

Gregory