On Sun, Jul 15, 2018 at 11:31 AM Philipp Kern <pk...@debian.org> wrote:
> On 15.07.2018 10:42, Dashamir Hoxha wrote: > > Description: > > A simple command-line password manager that keeps passwords inside a > > gpg encrypted tgz archive. The content of the archive is a directory > tree > > with a file for each password entry. The first line of the file is the > > password, and the rest can optionally be additional or related info. > > It provides commands for manipulating the passwords, allowing the user > > to add, remove, edit, generate passwords etc. > > > > Repository: https://github.com/dashohoxha/pw > > Documentation: http://dashohoxha.github.io/pw/man/ > > > > This program started by forking 'pass': http://www.passwordstore.org/ > > I sugessted a few changes to it, which were not accepted, so I forked > > it and made further changes and improvements, until it became a > > completely different program. > > See: > > - > https://lists.zx2c4.com/pipermail/password-store/2016-January/001887.html > > - > https://lists.zx2c4.com/pipermail/password-store/2016-January/001902.html > > - > https://lists.zx2c4.com/pipermail/password-store/2016-January/001928.html > > I have to say that I'm pretty unconvinced of this code. > > * The archive is temporarily stored unencrypted on disk: encrypt and > decrypt do an in-place operation with gpg, which is done wherever the > encrypted archive lives. So tar stores onto disk into the target path, > then the result is encrypted with gpg and the original is erased using > rm -rf (also ignoring errors in case the file fails to delete). The > inverse happens for decryption. > * Symmetric and asymmetric encryption are not actually exclusive as the > author makes it sound on the mailing list thread as gpg can wrap the > session key with both symmetric and asymmetric keys. > * Error handling in the script is wonky. I wonder if we could end up > with an actual "rm -rf /" in case mktemp for WORKDIR fails. Errors on > untar and tar are suppressed... > * Comments like [0] aren't exactly inspiring either. The quoting in the > script is "interesting". Sure, maybe you're asking for trouble anyway if > your home directory contains a space, but this script will break in > interesting ways. :) > All your assertions/assumptions are wrong. Either you did not look close enough to the code, or you are not an expert on bash scripting (bash is a bit cryptic and difficult to understand even for experts). I did not look at the original code of pass, but I don't find this code > handling secrets confidence inspiring, to be honest. > Instead of basing your judgment on general opinions, why don't you try to find any particular situation that will break the script in some interesting way ;) This is called proof by counter-example. If you cannot do this, and if nobody else can do this, then you cannot claim that it is not safe to use this script. Best regards, Dashamir Hoxha > > Kind regards > Philipp Kern > > [0] > https://lists.zx2c4.com/pipermail/password-store/2016-January/001932.html >
