From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Sascha Wilde Newsgroups: gmane.emacs.gnus.general,gmane.emacs.devel Subject: Re: Security flaw in pgg-gpg-process-region? Date: Sun, 12 Nov 2006 22:38:41 +0100 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> <8fe569ef-0b5e-4c29-b434-686fce4c619b@well-done.deisui.org> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1163367625 9466 80.91.229.2 (12 Nov 2006 21:40:25 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sun, 12 Nov 2006 21:40:25 +0000 (UTC) Cc: satyaki@chicory.stanford.edu, Reiner.Steib@gmx.de, ueno@unixuser.org, ding@gnus.org, emacs-devel@gnu.org, wk@gnupg.org, gdt@work.lexort.com, fw@deneb.enyo.de, jas@extundo.com Original-X-From: ding-owner+M12499@lists.math.uh.edu Sun Nov 12 22:40:23 2006 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GjN3h-0003WW-Vl for ding-account@gmane.org; Sun, 12 Nov 2006 22:40:10 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1GjN2l-0003DB-SU; Sun, 12 Nov 2006 15:39:11 -0600 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1GjN2j-0003CS-O2 for ding@lists.math.uh.edu; Sun, 12 Nov 2006 15:39:09 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtp (Exim 4.63) (envelope-from ) id 1GjN2f-0002WP-Jo for ding@lists.math.uh.edu; Sun, 12 Nov 2006 15:39:09 -0600 Original-Received: from ns.km1136.keymachine.de ([62.141.58.119] helo=km1136.keymachine.de) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1GjN2e-0007TN-00 for ; Sun, 12 Nov 2006 22:39:04 +0100 Original-Received: from kenny.sha-bang.de (xdslcy055.osnanet.de [89.166.152.55]) (authenticated bits=0) by km1136.keymachine.de (8.12.11.20060308/8.12.10) with ESMTP id kACLcfrv019267; Sun, 12 Nov 2006 22:38:41 +0100 Original-Received: from wilde by kenny.sha-bang.de with local (Kenny MUA v.0409034.42) ID 1GjN2H-0008IY-3E; Sun, 12 Nov 2006 22:38:41 +0100 Original-To: rms@gnu.org In-Reply-To: (Richard Stallman's message of "Sun\, 12 Nov 2006 16\:12\:32 -0500") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.90 (gnu/linux) X-Spam-Score: -2.5 (--) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:63975 gmane.emacs.devel:62134 Archived-At: Richard Stallman wrote: > What is the current state of gpg-agent? gpg-agent is not yet part of the stable GnuPG distribution, but despite that it's considered stable and ready for production use. There are some general usability problems with gpg-agent in conjunction with pinentry (a utility program used for passphrase input when gpg-agent is used without the smartcard support) -- but these issues only show up in certain complex situations and I wouldn't consider them a show stopper. My gpg-agent related code in pgg is part of CVS Emacs as well as the current stable gnus release, and I'm not aware of any problems with it. (I remember Daiki was working on a technically more elegant version, but don't know its current status.) In conclusion I would say that using pgg with gpg-agent can be recommended as best practice, but there are some obstacles which might make it hard for the average user to follow this advise: - GNU/Linux distributions might not have packages of gpg-agent - I don't know about support for gpg-agent on non unixoid platforms - users might encounter situations in which gpg-agent/pinentry won't work as expected cheers sascha -- Sascha Wilde Life's too short to read boring signatures