Questions about GPGME / GnuPG library

Taral taral at taral.net
Tue Dec 5 17:19:36 CET 2000


On Wed, 6 Dec 2000, Jos? C. García Sogo wrote:

> If this is going to be a FAQ I would like you to explain which are
> this security problems quite well, because (believe me) I don't
> understand them. I don't know how a wrapper over gnupg (retrieving
> data passed through a tty!) is more secure than using the gnupg
> library. And also I cannot understand how a CORBA interface will be
> more secure, neither RPC calls.

What if your program is not sufficiently secure, and ends up running
arbitrary code due to an exploit? Private key data could _easily_ be
exposed. Not to mention that GPG is often run setuid-root. Most programs
should not be run setuid-root. If GPG were a library, your program (which
may or may not be safe) would also have to be setuid-root to take
advantage of secure memory.

Taral



More information about the Gnupg-devel mailing list