Security Vulnerability: Faulty GPG Signature Checking
Ben Oliver
ben at bfoliver.com
Fri Jun 15 15:34:21 CEST 2018
On 18-06-16 01:11:51, Steve Gilberd wrote:
>I feel the same - the simplicity of it, and the ability for me to easily
>audit the source code, are significant reasons for my choosing *pass* as my
>password manager.
>
>I feel quite strongly that it should remain both simple / small, and
>ideally still written in bash. No objections to a rewrite to clean things
>up though.
I don't think that 'simple' necessarily means bash. Yeah, people can
read the script but you can argue that about any language you know or
don't know.
If you can re-write pass, keeping the gpg and git integration, then I
don't think the language matters too much. If the maintainer feels a
bash script is just spiralling out of control, then it should go.
What I like about pass is what Héctor mentioned... the fact that you can
just use gpg to get a password out of the system is killer, and is huge
insurance against data loss. There are other ways to access your data,
not just with the program you created it with.
You know how pass works, even without looking at the source code. That's
because you know how gpg and git work. It's a beautiful idea. I don't
think that the language pass is written in matters that much so long as
the core functionality stays.
Yes, I am a professional fence-sitter ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180615/81aa26d1/attachment.asc>
More information about the Password-Store
mailing list