From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63961 Path: news.gmane.org!not-for-mail From: Sascha Wilde Newsgroups: gmane.emacs.gnus.general,gmane.emacs.devel Subject: Re: Security flaw in pgg-gpg-process-region? Date: Sat, 11 Nov 2006 23:00:38 +0100 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> <8fe569ef-0b5e-4c29-b434-686fce4c619b@well-done.deisui.org> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1163282543 4890 80.91.229.2 (11 Nov 2006 22:02:23 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sat, 11 Nov 2006 22:02:23 +0000 (UTC) Cc: satyaki@chicory.stanford.edu, Reiner.Steib@gmx.de, ueno@unixuser.org, ding@gnus.org, emacs-devel@gnu.org, wk@gnupg.org, gdt@work.lexort.com, fw@deneb.enyo.de, jas@extundo.com Original-X-From: ding-owner+M12485@lists.math.uh.edu Sat Nov 11 23:02:20 2006 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by ciao.gmane.org with esmtp (Exim 4.43) id 1Gj0vX-0004Nz-P9 for ding-account@gmane.org; Sat, 11 Nov 2006 23:02:16 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1Gj0uT-0005WC-1B; Sat, 11 Nov 2006 16:01:09 -0600 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1Gj0uQ-0005VW-EM for ding@lists.math.uh.edu; Sat, 11 Nov 2006 16:01:06 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtp (Exim 4.63) (envelope-from ) id 1Gj0uM-0004ef-Ck for ding@lists.math.uh.edu; Sat, 11 Nov 2006 16:01:06 -0600 Original-Received: from ns.km1136.keymachine.de ([62.141.58.119] helo=km1136.keymachine.de) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1Gj0uL-0007h8-00 for ; Sat, 11 Nov 2006 23:01:01 +0100 Original-Received: from kenny.sha-bang.de (xdslcv221.osnanet.de [89.166.149.221]) (authenticated bits=0) by km1136.keymachine.de (8.12.11.20060308/8.12.10) with ESMTP id kABM0aOb000313; Sat, 11 Nov 2006 23:00:37 +0100 Original-Received: from wilde by kenny.sha-bang.de with local (Kenny MUA v.0409034.42) ID 1Gj0tz-0002tF-0i; Sat, 11 Nov 2006 23:00:39 +0100 Original-To: rms@gnu.org In-Reply-To: (Richard Stallman's message of "Tue\, 19 Sep 2006 18\:56\:59 -0400") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.90 (gnu/linux) X-Spam-Score: -2.5 (--) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:63961 gmane.emacs.devel:62081 Archived-At: Richard Stallman wrote: First of all: sorry for this _really_ late reply... > Finlay I do agree that the current handling of passphrases in Emacs is > a serious security problem, which should be solved. > > The solution of waiting a while and urging people to start using > gpg-agent is by far the easiest. Ack. This is a working solution, and as it seems the only realistic for the upcoming release. > If you think we need another interim solution, would you please > implement it? I thought of it, but as far as I can see the necessary changes would involve some substantial changes/extensions of parts of emacs I'm not very familiar with -- so I guess it wouldn't be a good thing to do at this point of time. Maybe we should point out the problem somewhere in the docs? cheers sascha -- Sascha Wilde Real programmers don't want "what you see is what you get", they want "you asked for it, you got it". They want editors that are terse, powerful, cryptic, and unforgiving. In a word, Teco.