From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Fix needed for communication with gpg-agent Date: Wed, 21 Feb 2007 03:37:51 -0500 Message-ID: References: <87irdzs6pp.fsf@stupidchicken.com> <87fy91g1pl.fsf@catnip.gol.com> <873b50g7um.fsf@stupidchicken.com> Reply-To: rms@gnu.org NNTP-Posting-Host: lo.gmane.org Content-Type: text/plain; charset=ISO-8859-15 X-Trace: sea.gmane.org 1172047210 10380 80.91.229.12 (21 Feb 2007 08:40:10 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Wed, 21 Feb 2007 08:40:10 +0000 (UTC) Cc: emacs-devel@gnu.org, miles@gnu.org To: Chong Yidong Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Feb 21 09:40:04 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1HJn1A-0004b1-7B for ged-emacs-devel@m.gmane.org; Wed, 21 Feb 2007 09:40:04 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1HJn19-00057f-PB for ged-emacs-devel@m.gmane.org; Wed, 21 Feb 2007 03:40:03 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1HJn0T-0004tk-3S for emacs-devel@gnu.org; Wed, 21 Feb 2007 03:39:21 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1HJn0S-0004tR-LC for emacs-devel@gnu.org; Wed, 21 Feb 2007 03:39:20 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1HJn0S-0004tL-Fr for emacs-devel@gnu.org; Wed, 21 Feb 2007 03:39:20 -0500 Original-Received: from fencepost.gnu.org ([199.232.76.164]) by monty-python.gnu.org with esmtp (Exim 4.52) id 1HJn0S-0000VY-2G for emacs-devel@gnu.org; Wed, 21 Feb 2007 03:39:20 -0500 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.60) (envelope-from ) id 1HJmz1-00042d-Ol; Wed, 21 Feb 2007 03:37:51 -0500 In-reply-to: <873b50g7um.fsf@stupidchicken.com> (message from Chong Yidong on Tue, 20 Feb 2007 10:35:29 -0500) X-detected-kernel: Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:66572 Archived-At: > We need to solve this problem one way or another now, because we > decided to fix a certain security hole by telling users to use > gpg-agent. We don't need the most elegant possible fix, but we > need something reasonable to use. Has anyone ever said that not using gpg-agent causes a security hole (except for you)? What a silly question! I am not an expert on security, so such a concern idea would NEVER originate from me. Thus problem was described in this list by others, a few months ago. Basically, the worry is that someone could somehow change the Elisp code in your Emacs session so that it records your passphrase as you are entering it. This is a non-zero but minuscule risk. I think he could also walk up to your terminal after you have entered the passphrase, and get it out of data remaining in Emacs. In the discussion when this was raised, people seemed to agree it was a problem we should fix. And the only fix was to avoid storing passphrases in Emacs.