Re: Please remove MacGPG from gnupg.org due to serious security concerns

> The source in question is on GitHub > at https://github.com/GPGTools/localizeXIB and the binary is no longer > required to compile pinentry-mac. Given we've already had this conversation (about the inappropriateness of binary blobs in what should be FOSS software) once, I feel the need to say th

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Dear all, any bug reports should be filed on our support platform at https://gpgtools.tenderapp.com . For highly sensitive inquiries you can always get in touch at t...@gpgtools.org - our public key is on our homepage, bottom left, an

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Sorry for reviving this old thread. But since you guys still don't accept bug reports (why?!)… I'm not sure whether this is better or worse than the old situation, but now you include an unsigned binary in your tree that is executed as part of the build process. Nowhere can be found what this b

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Hi Jonathan, yes, we've created a quick prototype today which is only a start at looking how it ould best be done. We pushed it to github only, so that our other team members could have a look at it. After we decide how to go forward from hear, we'll split up the commits with proper comments.

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 2015-02-17 22:32, Lukas Pitschl wrote: > Hi all, > > > > The code that checks out our GPGTools_Core repository is pretty old already > and it’s certainly a stupid way to do it. > At the time we assumed that it was safe to check it out via ssl from github, > since curl would refuse to do so

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 20.02.2015 um 11:48 schrieb Lukas Pitschl : > Pinentry-mac is one project we’ve „revived“ and thus only added stuff on top > of the old code instead of refactoring it. > We’ve been planning to do that for a long time now though, so we’ll > definitely look into that and check out how other UIs

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 21 Feb 2015, at 15:55, Xavier Maillard wrote: > > Hi Ville, > > Ville Määttä writes: > >> I happen to use Mail so for a long time I’ve been using the GPGMail >> plugin with a brewed[2] upstream GnuPG. I.e. *just one of the >> things in the GPG Suite*. I’ve talked about this setup before in

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Peter Lebbing writes: > On 2015-02-19 18:16, Jonathan Schleifer wrote: >> I also like @ to hide useless output, but is downloading *and >> executing* from a remote location really something you should hide? >> Especially if everything else isn't hidden? > > I can understand you're pretty darn pi

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Hi Ville, Ville Määttä writes: > I happen to use Mail so for a long time I’ve been using the GPGMail > plugin with a brewed[2] upstream GnuPG. I.e. *just one of the > things in the GPG Suite*. I’ve talked about this setup before in > the thread [3]. If one doesn’t use Apple Mail there is no reas

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Fri, 20 Feb 2015 10:36, luk...@dressyvagabonds.com said: > In order to work around the hang, we’re running this call in a separate > thread now, and if it doesn’t return within a few seconds (5 at the moment), > it sends a timeout to the scdaemon. Why not using a simple alarm() based watchdo

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Pinentry-mac is one project we’ve „revived“ and thus only added stuff on top of the old code instead of refactoring it. We’ve been planning to do that for a long time now though, so we’ll definitely look into that and check out how other UIs do it, like GTK. Best, Lukas GPGTools Am 20.02.2015

Re: Please remove MacGPG from gnupg.org due to serious security concerns

I’m not sure if my last emails made it through the list. Pinentry-mac is one project we’ve „revived“ and thus only added stuff on top of the old code instead of refactoring it. We’ve been planning to do that for a long time now though, so we’ll definitely look into that and check out how other U

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> Yep, unfortunately it would appear the same or identical issue does > occur with a speedo build of 2.1.2. The issue is essentially that > smartcard works for the first time but once some-indeterminate-time has > passed, gpg just hangs. No pinentry, nothing just happens. /Will need to > troublesh

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 20.02.2015 um 15:47 schrieb Ville Määttä : > On 20.02.15 16:44, Lukas Pitschl wrote: >> Pinentry-mac is one project we’ve „revived“ and thus only added stuff on top >> of the old code instead of refactoring it. >> We’ve been planning to do that for a long time now though, so we’ll >> definite

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> > Well sure you do, with 2.0.* branch? At leasts the templates are being > installed by the suite installer. The on-demand change is with 2.1. > If I’m not mistaken it has been added in 2.0.24 or the like. The template for launchd is no longer installed by our installer. If it’s still on your

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 20.02.15 16:44, Lukas Pitschl wrote: > Pinentry-mac is one project we’ve „revived“ and thus only added stuff on top > of the old code instead of refactoring it. > We’ve been planning to do that for a long time now though, so we’ll > definitely look into that and check out how other UIs do it,

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 20.02.15 11:36, Lukas Pitschl wrote: >> No pinentry, nothing just happens. /Will need to >> > troubleshoot this further on 2.1.2 to try to find out more./ > We’ve noticed that the hang occurs in pcsc_get_status_change. Instead of > receiving a timeout, it simply hangs forever, due to a bug in Y

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 20.02.15 11:29, Lukas Pitschl wrote: > It would be great if there’s an outline of the changes which might break > backwards compatibility (if any). From usage point of view: https://gnupg.org/faq/whats-new-in-2.1.html >> The things that would require a little changing are the launchd >> templ

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 20.02.15 12:42, Jonathan Schleifer wrote: > Might I suggest that you start with pinentry? Agreed. > It would be really helpful if you could instead create a new subdirectory > cocoa and do it like the other pinentries. Oh yes, definitely agreed. Integrate the necessary changes to the upstrea

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Great to see that you are planning on trying to bring things into shape so they can get upstreamed. Might I suggest that you start with pinentry? Currently, you import an old pinentry release and then build a lot of things around it. It would be really helpful if you could instead create a new

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> Ok, that link explains the certificate and it makes more sense. I can > see you've already changed at least the first link to the support site > on the front page. Great. > Yes, we started on the website and changing it everywhere the old link is referenced. > -- > Ville > > ___

Re: Please remove MacGPG from gnupg.org due to serious security concerns

We’ve started to rework our build system in a different branch on github. It no longer fetches any remote code and removes the dependency from GPGTools_Core, which was previously fetched. It’s not complete yet, but we’re actively working on it and updating one „application“ at a time. Am 19.02.2

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> I haven't tried Patrick's installer but it should be a fine option as > the core. The Mail plug-in should work just fine with 2.1 like it works > with upstream 2.0.* builds. I'm not aware of any specific need for > MacGPG in that regard. Same goes for the other little helpers. > We also believe

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Thu, 19 Feb 2015 20:29, js-gnupg-us...@webkeks.org said: > Btw, does this mean that basically Ed25519 keys are stable enough now and > won't change anymore? I everything goes wrong, gpg will continue to support them if they don't make it into an RFC. Salam-Shalom, Werner -- Die Gedan

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> [1] https://en.wikipedia.org/wiki/Hanlon%27s_razor ; apparently > after Robert J. Hanlon, not Hansen ;P There are at least four guys in the security world named Robert Hansen; to make matters worse, some of us have spoken at the same conferences. My middle initial is only to distinguish me from

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 19.02.15 21:18, Ville Määttä wrote: > Surely someone from the KDE / larger community > using pinentry-qt4 has been working on a QT 5 version of pinentry? Ok, found it :). Issue #1806 [1]. [1]: https://bugs.g10code.com/gnupg/issue1806 -- Ville signature.asc Description: OpenPGP digital sig

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 19.02.2015 um 20:08 schrieb Werner Koch : > Because I have to enter the PIN everytime (right, I do this on purpose), > the RSA signatures a long, and I do not keep my signing key card > inserted all the time. In fact I have to walk out of the office to pick > it up. Another approach is to not

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 18.02.15 13:05, Jonathan Schleifer wrote: >> > Upstream still does have the issue which now seems to have been fixed in >> > the fork but in a binary removed from upstream… > I really can not confirm this. I am running vanilla GnuPG 2.1.2 (built from > source) on Yosemite (10.10.2 to be exact)

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Thu, 19 Feb 2015 18:16, js-gnupg-us...@webkeks.org said: > I also like @ to hide useless output, but is downloading *and > executing* from a remote location really something you should hide? > Especially if everything else isn't hidden? Okay, someone please write a noscript extension for the l

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Thu, 19 Feb 2015 18:15, js-gnupg-us...@webkeks.org said: > I don't really see how that is cumbersome if you have an alias for tag > and for commit that each specify the key you want? Because it is too easy to forget about it. And I would need to teag Magit. I started to use a new key for com

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 18.02.15 07:21, Werner Koch wrote: >> wrappers or fixes upstream. Case in point: Has the fix for gpg-agent / >> > scdaemon hang been discussed upstream at all [4], [5]? In MacGPG there >> > is still ../libexec/gnupg-pcsc-wrapper which has been modified in >> > commit f4c3e1bb to fix the issues o

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 18.02.15 07:21, Werner Koch wrote: >> > command line tools. *I think there is no more reason to develop >> > MacGPG*, i.e. a port, anymore. Let the port die. > Can you briefly explain how Patrick's new installer [1] is related to that? > Would it be an option to use that as the core for gpgtools

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 17.02.15 23:32, Lukas Pitschl wrote: > The best way to reach us is either our support platform at > https://gpgtools.tenderapp.com or t...@gpgtools.org. Ok, that link explains the certificate and it makes more sense. I can see you've already changed at least the first link to the support site

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 2015-02-19 18:16, Jonathan Schleifer wrote: I also like @ to hide useless output, but is downloading *and executing* from a remote location really something you should hide? Especially if everything else isn't hidden? I can understand you're pretty darn pissed off that they executed untrust

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 18.02.2015 um 16:05 schrieb Werner Koch : > I also do this often to avoid cluttering the screen. No need to assume > a backdoor. It is for a Mac and Mac users want a clean tty ;-) I also like @ to hide useless output, but is downloading *and executing* from a remote location really somethin

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 18.02.2015 um 15:57 schrieb Werner Koch : >> git commit -S >> >> You can just create an alias for that, I for example use git ci. > > I know that but I would like to have a different key for tag and commit. > Requiring an option is just too cumbersome. I don't really see how that is cumbers

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Wed, 18 Feb 2015 20:24, d...@fifthhorseman.net said: >> as did a few other maintainers. However there was not only not a >> consensus to do this more generally, there was active opposition to >> doing it at all. > > that's a bummer :( I guess that is a GPL issue. They don't want any GPLed

Re: Please remove MacGPG from gnupg.org due to serious security concerns

d of purist attitude >> about the perfect Linux platform and how great it is to have >> the perfect GnuPG set up. >> >> I would bet that more people who’ve used tools like GPG Suite >> have taken up encryption than those exposed to the command >> line subtleties o

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Wed 2015-02-18 11:46:23 -0500, Doug Barton wrote: > On 2/18/15 2:52 AM, Jonathan Schleifer wrote: >> Well, I guess you have to take into account that a lot of downloads >> are from packaging software like pkgsrc, FreeBSD ports, Gentoo >> portage, ArchLinux's makepkg, etc. Usually, these do downl

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> "A user complained, so we'd rather use something insecure." That's not what the GPGTools folks did. Your caricature of their response is unfair and ungentlemanly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/list

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 2/18/15 2:52 AM, Jonathan Schleifer wrote: Well, I guess you have to take into account that a lot of downloads are from packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's makepkg, etc. Usually, these do download the signature and tarball once, verify it and then write

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Wed, 18 Feb 2015 11:52, js-gnupg-us...@webkeks.org said: > I do verify the fingerprint, and they are quite easy to find actually: > > https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ > > First Google match for "GitHub SSH fingerprint". Using a search engine to find impo

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Wed, 18 Feb 2015 12:21, js-gnupg-us...@webkeks.org said: > And even worse: Why did you decide to hide what is going on by > prefixing it with a @? This really feels like you are trying to deceit I also do this often to avoid cluttering the screen. No need to assume a backdoor. It is for a Ma

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Wed, 18 Feb 2015 12:05, js-gnupg-us...@webkeks.org said: > I suppose it might be a good idea to have a Qt GUI. That looks native Although Kleopatra is a KDE application there is not much of KDE in it and, iirc, Andre once suggested to turn it into a plain Qt application. Salam-Shalom, We

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Wed, 18 Feb 2015 11:54, js-gnupg-us...@webkeks.org said: > While this is much better from a security point of view, it still means that > building needs an internet connection. It would be nice to be able to build > it on an air-gapped machine, which I guess is quite a common use case for >

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 15:14 schrieb Hugo Osvaldo Barrera : > Actually, I've noticed that there was a very quick reply to this when it was > brought to the dev's attention. I'll leave this here for anyone else > interested > in following-up: > > > https://github.com/GPGTools/GPGTools_Core/commit/518

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 22:32 schrieb Lukas Pitschl : > The best way to reach us is either our support platform at > https://gpgtools.tenderapp.com or t...@gpgtools.org. When I tried contacting you guys a little more than a month ago, there was no e-mail to be found on the website. Only a support foru

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Wednesday, February 18, 2015 12:05:18 PM Jonathan Schleifer wrote: > I suppose it might be a good idea to have a Qt GUI. That looks native enough > on Mac so that most users won't complain, works good on X11 or Wayland > based systems and also works well on Windows. Ideally, this would be a > pr

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 20:16 schrieb Juergen Fenn : > Enigmail has discussed recently to drop support for GnuPG1, making > gpg-agent/pinentry a crucial issue on the Mac. The standard version of > pinentry from MacPorts does not work properly out of the box. For homebrew, there's a pinentry-mac formula,

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 17:00 schrieb Ville Määttä : > Upstream still does have the issue which now seems to have been fixed in the > fork but in a binary removed from upstream… I really can not confirm this. I am running vanilla GnuPG 2.1.2 (built from source) on Yosemite (10.10.2 to be exact) with a

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 14:58 schrieb Sandeep Murthy : > FYI I think you haven’t really looked at the support forum. This page > > http://support.gpgtools.org/kb/faq/found-an-issue > > clearly lists instructions for submitting a bug. They are always interested > in reproducible issues, and every week

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 14:31 schrieb Werner Koch : > GnuPG's speedo build system also downloads stuff via the Makefile but it > verifies the checksums before proceeding. The checksums are taken from a > public file which has a detached signature and the public key for that > is one of the GnuPG release

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 14:22 schrieb Werner Koch : > I do not think that it matters whether you pull using the git or the ssh > protocol. In both cases an active attacker can intercept the traffic > easily. Virtually nobody checks ssh host keys and how should they do it > given that I can't find its f

Re: Please remove MacGPG from gnupg.org due to serious security concerns

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/02/15 22:32, Lukas Pitschl wrote: > We’ve recently been accused again of "knowlingly lowering the overall > security“ [1] by not allowing such a key size. We’re still not sure what > to do about it exactly. There will always be people who think

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Tue, 17 Feb 2015 17:31, mar...@martinpaljak.net said: > GnuPG just got a huge sum of money, I'm sure arrangements can be made > to allocate some of that for a easy to use and *free* OSX version with > an integrated GUI ? I would consider it unfair to all true free software developers to take t

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Tue, 17 Feb 2015 17:00, mailing-li...@asatiifm.net said: > command line tools. *I think there is no more reason to develop > MacGPG*, i.e. a port, anymore. Let the port die. Can you briefly explain how Patrick's new installer [1] is related to that? Would it be an option to use that as the cor

Re: Please remove MacGPG from gnupg.org due to serious security concerns

like GPG Suite > have taken up encryption than those exposed to the command > line subtleties of GnuPG. Both can be used at the same time, > as I do, you don’t have to choose between them. > > Sandeep Murthy > s.mur...@mykolab.com > >> Begin forwarded message: >>

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-17 17:31 GMT+01:00 Martin Paljak : > So, generally speaking: if the upstream has not catered to the OSX > folks and somebody on the internet has, I would not blame GPGTools > guys for doing it. Yes, it would be nice if one at least tried to > contribute back to upstream and to work in an o

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> On 17 Feb 2015, at 21:16, Juergen Fenn wrote: > > as you've pointed > out, the GPGTools have decided to go all commercial including, I > didn't realise this before, a closed code repository so that no one > can study the code? Is this true? I can't believe it. That’s not quite true. They must

Re: Please remove MacGPG from gnupg.org due to serious security concerns

I suppose if you were conceited enough to describe yourself as a “power user” then you might be dumb enough to think that people who use GPG Suite are “dumb users”. Platform fanatics and those make an easy job of caricaturing themselves in their fanaticism for a “pure setup”, which is an illusion.

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> On 17 Feb 2015, at 21:03, Sandeep Murthy wrote: > > As a user, not a developer on MacGPG, the issues previously > raised here about the remote execution of scripts etc. may be > questionable, but they do not directly affect my use of the software, > which is nothing but a front end for GnuPG.

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> On 17 Feb 2015, at 18:31, Martin Paljak wrote: > > Not sure about overall GnuPG affection with Apple or other closed > source software, but the PC/SC layer in Yosemite is broken (again): > > http://ludovicrousseau.blogspot.fr/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html Yeah, Apple h

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Tue, Feb 17, 2015 at 6:00 PM, Ville Määttä wrote: > Instead they should use upstream and contribute the minimal amount of > wrappers or fixes upstream. Case in point: Has the fix for gpg-agent / > scdaemon hang been discussed upstream at all [4], [5]? In MacGPG there is > still ../libexec/gn

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 17.02.2015, Werner Koch wrote: > git meanwhile allows to sign commits. If anyone knows a method to set a > different key for tagging and commits, I would soon start to sign each > commit. I can be seriously wrong, but is that not something the LKML people do? __

Re: Please remove MacGPG from gnupg.org due to serious security concerns

I’ve had some concerns about GPGTools for months now. For some time I've disliked the way the project is being run, the communication of what they are planning and the way they have been doing their development for example. Months went by when their Yosemite betas were not available in source at

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> > Actually, I've noticed that there was a very quick reply to this when it was > brought to the dev's attention. I'll leave this here for anyone else > interested > in following-up: > > > https://github.com/GPGTools/GPGTools_Core/commit/5186bade36acedfdc0b76f9f5ddfcfc004ec698b > > I'm not a

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 2015-02-17 11:01, Jonathan Schleifer wrote: > > I disagree. The developers are not capable of writing secure software, as > demonstrated (several times even, it seems). It would be best to advise to > never use that at all and then write new software, if there's demand for it. > It's sometim

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> >> http://support.gpgtools.org/ > > If you are a security project, you should be thankful for people reporting > bugs, not trying to make it as hard as possible to report a serious bug. This > looks like more of a "users help users" forum kind of thing, nothing where > you would want to rep

Re: Please remove MacGPG from gnupg.org due to serious security concerns

I have posted a message in the GPG Tools support forum copying the original post in this thread, letting the developers know of the concerns raised here. Perhaps you will see some comments in the near future. Sandeep Murthy s.mur...@mykolab.com > On 17 Feb 2015, at 13:31, Werner Koch wrote: >

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Mon, 16 Feb 2015 22:48, js-gnupg-us...@webkeks.org said: > @bash -c "$$(curl -fsSL > https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh)" Bad idea to directly run code from a foreign remote site. I'd appreciate if someone from gpgtools.org can comment

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On Tue, 17 Feb 2015 00:53, h...@barrera.io said: > git://github.com...", since any malicious attacker can intercept that > communication. There's no checksuming or anything to make this difficult *at > all*. > > What *does* suprise me is that there's a commit to specifically remove git+ssh > in fa

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 07:53 schrieb Sandeep Murthy : >> I'm guessing because you need an SSH key at GitHub in order to pull via SSH. >> Yet another problem solved by git modules. >> >> Still, they could have at least changed it to https. > > GitHub supports pull/push via SSH or HTTPS therefore you c

Re: Please remove MacGPG from gnupg.org due to serious security concerns

> I'm guessing because you need an SSH key at GitHub in order to pull via SSH. > Yet another problem solved by git modules. > > Still, they could have at least changed it to https. GitHub supports pull/push via SSH or HTTPS therefore you can do this to with MacGPG (2) or any GitHub repo. > >>

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 00:53 schrieb Hugo Osvaldo Barrera : > It is true that there's a pretty big security hole there with "git clone > git://github.com...", since any malicious attacker can intercept that > communication. There's no checksuming or anything to make this difficult *at > all*. Well, thi

Re: Please remove MacGPG from gnupg.org due to serious security concerns

On 2015-02-16 22:48, Jonathan Schleifer wrote: > Hi! > > I hereby request that MacGPG gets removed from gnupg.org due to serious > security concerns. Basically, the first thing the Makefile in all their repos > / tarballs does is this: > > @bash -c "$$(curl -fsSL > https://raw.github.c

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 00:16 schrieb Sandeep Murthy : > I think this is an exaggeration. I have been using MacGPG and the > GPG Tools support forum for quite some time, and have brought a > number of issues to their attention, including a couple of security > related ones, like making their key fingerp

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Hi I think this is an exaggeration. I have been using MacGPG and the GPG Tools support forum for quite some time, and have brought a number of issues to their attention, including a couple of security related ones, like making their key fingerprints more visible. They do care about security and