[pkg-gnupg-maint] Bug#854797: pinentry-emacs in Debian
Lev Lamberov
dogsleg at debian.org
Sat Sep 9 16:00:57 UTC 2017
Сб 09 сен 2017 @ 12:56 David Bremner <david at tethera.net>:
> Lev Lamberov <dogsleg at debian.org> writes:
>
>> Dear all,
>>
>> I'd like to rise again the reporter concern [0] about availability of
>> pinentry-emacs in Debian, because I'd be very-very happy to see it
>> there. The support of pinentry-emacs is required for the pinentry Emacs
>> pacakge [1]. I've read the thread (and also looked through cited
>> upstream issues), but was not able to find any conclusion on the issue.
>
> I'm not very convinced by the argument (on the upstream bug) that using
> emacs for pinentry is no riskier than pinentry-gtk2.
>
> - the vast majority of emacs users that I interact with use software
> from outside elpa.gnu.org, so I don't think any security standards for
> elpa (supposing we grant that those are real) provide much
> comfort.
>
> - I can't evaluate the effectiveness of the various OS level protections
> against ptrace, but at least some exist. The emacs memory model is
> extremely simple: every "application" has read/write access to every
> other "application"'s memory. There might be some clever things that
> can be done, but I suspect the very features that make emacs so
> extensible mean there are many many attack vectors (how about just
> redefining or advising read-passwd?).
>
> - Several popular packages for emacs are network facing (e.g. irc
> clients). This means that in principle users are exposed to remote
> attacks. Imagine we integrated an IRC client into pinentry-gtk2.
OK, I see your point and convinced with your argument. Thank you very
much for your input!
Regards,
Lev
More information about the pkg-gnupg-maint
mailing list