Security Vulnerability: Faulty GPG Signature Checking
Gabriel Filion
gabster at lelutin.ca
Tue Jun 19 05:32:17 CEST 2018
On 2018-06-15 10:47 AM, Ben Oliver wrote:
> On 18-06-16 01:53:52, Steve Gilberd wrote:
>> One other thought regarding the choice of language. I personally keep a
>> copy of pass stored *inside my pass git repository*, so that I can still
>> easily use it on systems where pass is not installed without adding too
>> many extra steps. Bash is everywhere, which makes it extremely portable.
>
> That's a really interesting use-case that should definitely be taken
> into account. I always keep it in my PATH so I never think of it as a
> script really, but if people are doing this then it is quite a good
> reason to stay with bash.
other scripting languages can also let you do this. a python script that
has a #! as a first line can be moved around and still work. you can
also use a virtualenv to keep around a complete working environment with
you.
bash is horrible at handling strings of text inside variables without
opening up holes everywhere.
the biggest disadvantage to bash is really the need to call gpg directly
and parse its output. doing this is really the biggest PITA that could
end up exploding maintenance of this project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180618/7efab3c1/attachment.asc>
More information about the Password-Store
mailing list