[pass] [PATCH] Allow custom subcommands
Thorsten Wißmann
edu at thorsten-wissmann.de
Mon Oct 3 19:30:58 CEST 2016
Hi Sylvain,
On Mon, Oct 03, 2016 at 07:20:47AM +0200, Sylvain Viart wrote:
> Le 30/09/2016 à 11:33, Thorsten Wißmann a écrit :
> > if there is an executable pass-clipwiz in the PATH. This does not only
> > fit the usual pass workflow (first show a file, then paste it using
> > clipwiz), but one also gets the tab-completion for custom pass scripts
> > for free.
>
> Sounds cool!
>
> See also:
>
> [pass] Extending pass with user-defined hooks / add ons
> https://lists.zx2c4.com/pipermail/password-store/2015-August/001659.html
I see, thanks! I think the main decision is whether those extensions
should be part of "the password store" (that approach) or of the system
(my approach).
> Does GPG web of trust sure enough, to allow co-signing script to enable
> such signed plugins?
I don't understand your question. But are you asking how my patch could
be extended to call only 'signed' extensions?
If some bad guy has write access to some directory in $PATH and wants to
take over your password store, then the bad guy can simply add a
malicious `pass` executable and the user would not notice.
I.e. I don't think `pass` should do something like signing of program
code. It's some separate problem to check if the programs in your $PATH
are trustworthy or not.
Cheers,
Thorsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161003/23fa7877/attachment.asc>
More information about the Password-Store
mailing list