From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63713 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general Subject: Re: Security flaw in pgg-gpg-process-region? Date: Thu, 07 Sep 2006 17:13:40 -0400 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> <8fe569ef-0b5e-4c29-b434-686fce4c619b@well-done.deisui.org> Reply-To: rms@gnu.org NNTP-Posting-Host: main.gmane.org Content-Type: text/plain; charset=ISO-8859-15 X-Trace: sea.gmane.org 1157663688 29921 80.91.229.2 (7 Sep 2006 21:14:48 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Thu, 7 Sep 2006 21:14:48 +0000 (UTC) Cc: satyaki@chicory.stanford.edu, Reiner.Steib@gmx.de, ueno@unixuser.org, ding@gnus.org, emacs-devel@gnu.org, Werner Koch , fw@deneb.enyo.de, jas@extundo.com Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 07 23:14:47 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GLRCC-00059Z-Ea for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 23:14:00 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GLRCB-0002Jf-Q5 for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 17:13:59 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GLRBx-0002GL-Rx for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:13:45 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1GLRBx-0002Eh-AF for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:13:45 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GLRBx-0002EO-4V for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:13:45 -0400 Original-Received: from [199.232.76.164] (helo=fencepost.gnu.org) by monty-python.gnu.org with esmtp (Exim 4.52) id 1GLRCP-0006Mn-3y for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:14:13 -0400 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.34) id 1GLRBs-0000Wx-NR; Thu, 07 Sep 2006 17:13:40 -0400 Original-To: gdt@work.lexort.com In-reply-to: (gdt@work.lexort.com) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:59521 gmane.emacs.gnus.general:63713 Archived-At: As soon as the passphrase ends up on disk, through a temp file, core file, swap space, the plan is compromised. Programs like gnupg take care to mlock(2) or similar to keep key data from being paged out. (One also needs to disable kernel crash dumps.) I think that the only feasible way Emacs could do that is with a special C-level feature. The right solution might instead be to push for gpg-agent to be production ready, so that entire notion of emacs dealing with passphrases can be deprecated. What's the state of work on this?