Python bindings HOWTO proof reader request
Vinay Sajip
vinay_sajip at yahoo.co.uk
Sun Mar 18 18:07:02 CET 2018
Dear Ben,
I am the maintainer of the python-gnupg package. This section about it in your HOWTO is, I believe, incorrect: "Unfortunately it has been beset by a number of security issues, most of which stemmed from using unsafe methods of accessing the command line via the subprocess calls."
At one time this was true - the subprocess calls in early versions were made with shell=True and therefore subject to injection attacks. However, this has not been the case for quite some time - subprocess is currently called with shell=False and not (as far as I know) insecure in the way you describe.
You also say "most of which stemmed from using unsafe methods of accessing the command line" - what were the *other* security issues, and where were they raised / who raised them? Obviously, I want to ensure that python-gnupg has no avoidable security issues, so your feedback would be helpful in achieving this. I would also be grateful if you updated your HOWTO to remove the inaccuracy about python-gnupg.
Regards,
Vinay Sajip-------------------------------------------------------------Date: Fri, 16 Mar 2018 00:00:49 +1100
From: Ben McGinnes <ben at adversary.org>
To: gnupg-devel at gnupg.org
Subject: Python bindings HOWTO proof reader request
Message-ID: <20180315130049.4sc54dk3zgvmlalq at adversary.org>
Content-Type: text/plain; charset="us-ascii"
Hello,
The major work on a HOWTO for the Python bindings is done, but
I'd appreciate some fresh eyes proof reading it before I merge it with
master. The full thing, in org-mode format,is here:
https://files.gnupg.net/file/data/ossmg4ung2hcpyyuks6j/PHID-FILE-xgbofmytge7fzn3u5kuc/GPGMEpythonHOWTOen.org
Don't worry about dialectic differences between American English and
Australian or British English, I'll do a translation for en-US later.
Also don't worry about the lack of instructions on revoking UIDs or
keys, that will be added later too.
I'm more interested in being sure that the example code works (it
should, I was running it as I was writing the thing) and that the
corresponding text descriptions actually help to clarify what's going
on in that code.
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180316/26b50906/attachment-0001.sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180318/9b74719d/attachment.html>
More information about the Gnupg-devel
mailing list