So on & so forth

Peter Lebbing peter at
Tue Aug 19 22:27:04 CEST 2014

On 19/08/14 21:52, Ludwig Hügelschäfer wrote:
> Ack. They use the build system from homebrew. They update recipes from
> time to time, but their releases normally go only with major Mac OS X
> updates (e.g. 10.8 -> 10.9), as in last october with 2.0.22. Their
> main target is the gpg-plugin for Apple mail, I think.

So apparently they're not too worried about the DoS fixed in 2.0.24. And
libgcrypt 1.6.0, which succeeds a version vulnerable to "Get Your Hands Off My
Laptop" if I'm not mistaken, was released in December. I'd hazard a guess that
they ship a vulnerable 1.5.x version.

So everybody: hands off the Mac! ;)

I think that you should only build or fork software[1] when you're willing to
provide the service of security fixes to your users, or clearly indicate this is
out of your scope. Do they provide security support? I think the libgcrypt one
might warrant a fix. A DoS is just annoying.


[1] Especially security software

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list