[git] GPGME - branch, ben/docs/2018-03, updated. gpgme-1.10.0-108-g0fb8a5d

[by Ben McGinnes]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GnuPG Made Easy".

The branch, ben/docs/2018-03 has been updated
       via  0fb8a5d45c1c77a5928d6e356271da055aa55994 (commit)
      from  bf67cf433fe82924ed40e79785e95403c07cc068 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 0fb8a5d45c1c77a5928d6e356271da055aa55994
Author: Ben McGinnes <ben at adversary.org>
Date:   Mon Mar 19 13:09:46 2018 +1100

    doc: python bindings howto
    
    * Adjusted the python-gnupg so the comments regarding insecure
      invocation of commands via subprocess (shell=True) were a major
      historical issue and not a a current issue.
    * Not including Vinay Sajip's requested change to say it is now secure
      since no audit of the current code base has been performed and my
      last major inspection of that code was around the time I first
      ported PyME to Python 3 in 2015.

diff --git a/lang/python/docs/GPGMEpythonHOWTOen.org b/lang/python/docs/GPGMEpythonHOWTOen.org
index f5192f4..4a21554 100644
--- a/lang/python/docs/GPGMEpythonHOWTOen.org
+++ b/lang/python/docs/GPGMEpythonHOWTOen.org
@@ -117,7 +117,11 @@
 
     Unfortunately it has been beset by a number of security issues,
     most of which stemmed from using unsafe methods of accessing the
-    command line via the =subprocess= calls.
+    command line via the =subprocess= calls.  While some effort has
+    been made over the last two to three years (as of 2018) to
+    mitigate this, particularly by no longer providing shell access
+    through those subprocess calls, the wrapper is still somewhat
+    limited in the scope of its GnuPG features coverage.
 
     The python-gnupg package is available under the MIT license.
 
@@ -132,15 +136,15 @@
     package also relied on subprocess to call the =gpg= or =gpg2=
     binaries, but did so somewhat more securely.
 
-    However the naming and version numbering selected for this package
-    resulted in conflicts with the original python-gnupg and since its
-    functions were called in a different manner, the release of this
-    package also resulted in a great deal of consternation when people
-    installed what they thought was an upgrade that subsequently broke
-    the code relying on it.
+    The naming and version numbering selected for this package,
+    however, resulted in conflicts with the original python-gnupg and
+    since its functions were called in a different manner to
+    python-gnupg, the release of this package also resulted in a great
+    deal of consternation when people installed what they thought was
+    an upgrade that subsequently broke the code relying on it.
 
     The gnupg package is available under the GNU General Public
-    License version 3.0 (or later).
+    License version 3.0 (or any later version).
 
 
 *** The PyME package maintained by Martin Albrecht

-----------------------------------------------------------------------

Summary of changes:
 lang/python/docs/GPGMEpythonHOWTOen.org | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)


hooks/post-receive
-- 
GnuPG Made Easy
http://git.gnupg.org