[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Fix releasing procedure
From: |
Gary V . Vaughan |
Subject: |
Re: [PATCH] Fix releasing procedure |
Date: |
Tue, 27 Jan 2004 11:54:39 +0000 |
On Tuesday, January 27, 2004, at 10:40 am, Alexandre Duret-Lutz wrote:
On Tue, Jan 27, 2004 at 10:17:52AM +0000, Scott James Remnant wrote:
*gulps* it stores my GPG passphrase in a shell variable?!
Yep. Just like mailcrypt stores it in an emacs variable, or gpg in a
C variable. What's the difference?
I was about to ask how you get the passphrase into gpg without it
showing
up in the process table for an instant, but you seem to have tried to
address
that. Notice that at the point that you pass the passphrase to gpgs
stdin on
a pipe you are calling echo with the PATH set by the user:
echo $passphrase | $GPG --passphrase-fd 0 -ba -o $file.sig $file
Oops!
Better than PATH fiddling in the environment, it would be good to
detect bash
and use 'builtin echo' (and similar for ksh and zsh). I think you
should also
call gpg with an absolute path to forestall a trojan gpg which could
log the
passphrase.
I'd be happier using the script if you supported quintuple agent, so
that if gpg
is getting it's passphrase from gpg-agent already, then there is no
need to save
it in the script at all. I'm no security expert, and even I've found a
couple of
vulnerabilities. I have to say that I wouldn't use the script on a
networked
machine as it stands.
Cheers,
Gary.
--
Gary V. Vaughan ())_. address@hidden,gnu.org}
Research Scientist ( '/ http://www.oranda.demon.co.uk
GNU Hacker / )= http://www.gnu.org/software/libtool
Technical Author `(_~)_ http://sources.redhat.com/autobook
- [PATCH] Fix releasing procedure, Scott James Remnant, 2004/01/27
- Re: [PATCH] Fix releasing procedure, Alexandre Duret-Lutz, 2004/01/27
- Re: [PATCH] Fix releasing procedure,
Gary V . Vaughan <=
- Re: [PATCH] Fix releasing procedure, Alexandre Duret-Lutz, 2004/01/27
- Re: [PATCH] Fix releasing procedure, Alexandre Duret-Lutz, 2004/01/27
- Re: [PATCH] Fix releasing procedure, Gary V. Vaughan, 2004/01/27
- Re: [PATCH] Fix releasing procedure, Alexandre Duret-Lutz, 2004/01/27
- Re: [PATCH] Fix releasing procedure, Scott James Remnant, 2004/01/28
- FYI: fix gnupload (Was: Re: [PATCH] Fix releasing procedure), Alexandre Duret-Lutz, 2004/01/28
Re: [PATCH] Fix releasing procedure, Gary V . Vaughan, 2004/01/27