Security Vulnerability: Faulty GPG Signature Checking

Matthieu Weber mweber at free.fr
Fri Jun 15 07:57:57 CEST 2018


On Thu, 14 Jun 2018 at 05:11PM -0400, Mark Gardner wrote:
> On Thu, Jun 14, 2018 at 19:49:56 +0200, Tobias Girstmair wrote:
> > *simple* bash scripts I've found are either trivial or
> > {fragile,wrong,buggy,insecure}. Again, I'd support C (or anything widely
> > supported) for pass 2.0
> 
> Lately I have switched all my C hacking over to Golang (Go). While pass
> would need to be compiled individually for each platform, it would keep
> portability, including Windows. We should seriously consider re-writing
> pass in Go.

It is very difficult to write correct programs in C, and very easy to
write C programs with security holes in it. Since the topic here is
security, I would advise against C. Go, Rust, Java even, or scripting
languages such as Python, Ruby or even Perl are probaly safer than C (or
C++).
 
Matthieu
-- 
 (~._.~)            Matthieu Weber - mweber at free.fr              (~._.~)
  ( ? )                http://weber.fi.eu.org/                    ( ? ) 
 ()- -()          public key id : 0x85CB340EFCD5E0B3             ()- -()
 (_)-(_) "Humor ist, wenn man trotzdem lacht (Otto J. Bierbaum)" (_)-(_)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180615/5103e690/attachment.asc>


More information about the Password-Store mailing list