Security Vulnerability: Faulty GPG Signature Checking
Ben Oliver
ben at bfoliver.com
Fri Jun 15 09:32:34 CEST 2018
On 18-06-15 09:16:27, Volkan Yazıcı wrote:
>I see the point of replacing bash with another programming language, that
>being said, I feel the urge to say something about this without falling
>into the trap of ranting about programming languages. One of the key points
>of pass that was really the selling point for me was, apart from perfectly
>solving the problem it was designed to solve, the transparency of the
>implementation.
This is it for me too. The design is so simple that the drawbacks, like
having the file names exposed, are immediately obvious to any newcomer.
There are no nasty suprises down the line - it's just gpg and git.
I'm not saying that moving away from bash is a bad idea, just that it is
important to think about what initially drew people to pass over other
(perhaps more conventional database-backed) solutions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180615/b8b3484e/attachment-0001.asc>
More information about the Password-Store
mailing list