From: Daiki Ueno <ueno@gnu.org>
To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: tzz@lifelogs.com, 15552@debbugs.gnu.org
Subject: bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
Date: Tue, 08 Oct 2013 16:03:22 +0900 [thread overview]
Message-ID: <87hacsutvp.fsf-ueno@gnu.org> (raw)
In-Reply-To: <jwvy5644fsl.fsf-monnier+emacsbugs@gnu.org> (Stefan Monnier's message of "Mon, 07 Oct 2013 23:14:41 -0400")
Stefan Monnier <monnier@iro.umontreal.ca> writes:
>>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>>> 3. Open file.gpg: password dialog pops up
>>> 4. close file.gpg
>>> 5. Open file.gpg: password dialog pops up again
>>> Step (5) should not prompt. It works properly with GnuPG 1.x.
>> That's intended behavior.
>
> Could you give the rationale for it?
When gpg-agent is not properly set up as a daemon, gpg2 invokes
gpg-agent internally for each session. In the above case, there are two
gpg2 sessions (two "Open") and thus there are two gpg-agent processes,
which don't share the passphrase.
>> It is documented and I stated a number of times the reason and why
>> I chose such a lengthy name of the variable and the default is nil:
>
> I understand why it is nil by default, but if the user sets it to t,
> presumably he doesn't care about the fact that storing the password in
> Emacs heap is insecure.
When epg.el was written, the intention of the option was the last resort
for those who only have gpg1 and can't use gpg-agent. Since then, I've
recommended to migrate to more secure way (i.e. using gpg-agent).
Given that gpg-agent (gpg2) is now available everywhere, I think there's
no reason to advertise the use of this variable, although at some point
a few people (afaik, only Ted) started exploiting this option to provide
degraded security for usability.
So the question is, would we really like to proactively support such a
degraded security in Emacs?
next prev parent reply other threads:[~2013-10-08 7:03 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-07 17:56 bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x Teodor Zlatanov
2013-10-07 23:41 ` Daiki Ueno
2013-10-08 0:46 ` Ted Zlatanov
2013-10-08 3:14 ` Stefan Monnier
2013-10-08 7:03 ` Daiki Ueno [this message]
2013-10-08 10:47 ` Ted Zlatanov
2013-10-08 17:17 ` Stefan Monnier
2013-10-08 21:51 ` Daiki Ueno
2013-10-09 3:01 ` Stefan Monnier
2013-10-09 3:53 ` Daiki Ueno
2013-10-09 9:32 ` Ted Zlatanov
2013-10-09 12:40 ` Stefan Monnier
2013-10-10 3:08 ` Daiki Ueno
2013-10-10 13:25 ` Ted Zlatanov
2013-10-10 14:31 ` Stefan Monnier
2013-10-10 14:32 ` Stefan Monnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87hacsutvp.fsf-ueno@gnu.org \
--to=ueno@gnu.org \
--cc=15552@debbugs.gnu.org \
--cc=monnier@iro.umontreal.ca \
--cc=tzz@lifelogs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.