<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Not padding is NOT the issue. Padding simply adds obscurity (in
this case).</p>
<p>The issue is that pass does leaks metadata (this has been
discussed), so using it in a public repo is a bad idea IMHO.</p>
<p>You could write an extension for that if you want, but you are
not solving anything by just padding. <br>
</p>
<p>What needs to be done is fix the meta leak, and that isn't
possible with the pass scheme. At most, you can use something like
tomb and then sync a single large binary file that does solves
everything, except the fact that is very annoying given it's size.</p>
<p>Cheers!<br>
</p>
<br>
<div class="moz-cite-prefix">On 02/24/2017 11:12 AM, Kevin Lyda
wrote:<br>
</div>
<blockquote
cite="mid:CADJ56BQE=0-WGVzakSx60LkxBsO1wYQStVoFtN6KGCUGd91z2w@mail.gmail.com"
type="cite">
<div dir="ltr">Note that you can store more than just the
password. Put the password of the first line and then put
information about the password on the next lines. That will
obscure the length.
<div><br>
</div>
<div>Kevin</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Feb 24, 2017 at 1:39 PM Thibault Polge
<<a moz-do-not-send="true" href="mailto:thibault@thb.lt">thibault@thb.lt</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">> In any
case, I agree it should be clearly documented.<br
class="gmail_msg">
<br class="gmail_msg">
Here's a draft of two very short paragraphs that could be
added at the<br class="gmail_msg">
end of the manpage, in a new “Limitations” section, just
before “See<br class="gmail_msg">
also”:<br class="gmail_msg">
<br class="gmail_msg">
> The hierarchy of password names is stored as a plain text
directory<br class="gmail_msg">
> structure. Pass itself does nothing to conceal the names
you give to<br class="gmail_msg">
> your keys or to the folder structure which contains them.<br
class="gmail_msg">
><br class="gmail_msg">
> Pass also does nothing to hide the size of the data it
encrypts. The<br class="gmail_msg">
> design of OpenPGP makes it trivial to compute the length
of the<br class="gmail_msg">
> cleartext from the length of the cyphertext.<br
class="gmail_msg">
<br class="gmail_msg">
I'm not good at nroff stuff, but if there are no objections,
I'll try<br class="gmail_msg">
and send a patch to pass.1<br class="gmail_msg">
<br class="gmail_msg">
Thanks all for your feedback,<br class="gmail_msg">
Best regards,<br class="gmail_msg">
Thibault<br class="gmail_msg">
_______________________________________________<br
class="gmail_msg">
Password-Store mailing list<br class="gmail_msg">
<a moz-do-not-send="true"
href="mailto:Password-Store@lists.zx2c4.com"
class="gmail_msg" target="_blank">Password-Store@lists.zx2c4.com</a><br
class="gmail_msg">
<a moz-do-not-send="true"
href="https://lists.zx2c4.com/mailman/listinfo/password-store"
rel="noreferrer" class="gmail_msg" target="_blank">https://lists.zx2c4.com/mailman/listinfo/password-store</a><br
class="gmail_msg">
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Password-Store mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a>
<a class="moz-txt-link-freetext" href="https://lists.zx2c4.com/mailman/listinfo/password-store">https://lists.zx2c4.com/mailman/listinfo/password-store</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
HacKan || Iván
GPG: 0x35710D312FDE468B</pre>
</body>
</html>