Security Vulnerability: Faulty GPG Signature Checking

Steve Gilberd steve at erayd.net
Fri Jun 15 15:49:14 CEST 2018


On Sat, 16 Jun 2018 at 01:36 Ben Oliver <ben at bfoliver.com> wrote:

> I don't think that 'simple' necessarily means bash.

It doesn't - 'simple' and 'written in bash' were two separate points. I was
endorsing bash, because:
 (a) bash is something I already know and can easily audit; and
 (b) bash has no concept of packages which removes the temptation to import
arbitrary functionality.

I don't have any objection to other languages in principle, but bash has
some compelling points that make it ideal *for my particular use-case*.

> You know how pass works, even without looking at the source code.

But I'm not looking at the source to figure out how it works. I'm looking
at the source to ensure it is trustworthy.

Cheers,
Steve
-- 

Cheers,

*Steve Gilberd*
Erayd LTD *·* Consultant
*Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
*PO Box 10019, The Terrace, Wellington 6143, NZ*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180616/541dbb0b/attachment.html>


More information about the Password-Store mailing list