[pass] [PATCH] Allow custom subcommands

Sylvain Viart sylvain at opensource-expert.com
Fri Oct 7 09:28:53 CEST 2016


Hi,

Le 04/10/2016 à 07:40, Brian Candler a écrit :
> On 04/10/2016 05:45, Sylvain Viart wrote:
>> Pass itself could be signed. By the user at init.
> But why? Do you have a version of Linux which only executes signed
> scripts/binaries?
No, just an idea to share about. It could be a bad idea, of course…
And also because web of trust is interesting me. :-)

Not only signed scripts.

> As for the admin being tricked into installing a malicious plugin -
> what's the difference between that and installing a malicious version
> of 'pass' itself?
>
> The only protection for 'pass' is installing it from a trusted
> location, and/or verifying the code by eye. Surely the same applies to
> plugins?

You're right of course.

But what about non-programmer user?
I can't tell them to do that, right.

Some time, (often) I don't have time to review the code myself, I need
to trust the system, and free my mind about this issue. For example
running a GNU/Linux distrib + passwordstore, lets say I'm trusting that,
so I can go.

That was more my point. .deb packages are signed and reviewed by some
volunteer, I don't know if the system is perfect or not, but I'm
trusting it. ;-)

Sylvain.





-- 
Sylvain Viart - DevOps système linux - freelance developer


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161007/a4daea64/attachment.asc>


More information about the Password-Store mailing list