Fwd: Please remove MacGPG from gnupg.org due to serious security concerns

Sandeep Murthy s.murthy at mykolab.com
Tue Feb 17 00:31:18 CET 2015


If you have concerns or suggestions then the best thing would be
to contact Luke Le, Steve or the other support staff on

http://support.gpgtools.org/

Sandeep Murthy
s.murthy at mykolab.com

> Begin forwarded message:
> 
> Subject: Re: Please remove MacGPG from gnupg.org due to serious security concerns
> From: Sandeep Murthy <s.murthy at mykolab.com>
> Date: 16 February 2015 23:16:06 GMT
> Cc: js-gnupg-users at webkeks.org
> To: gnupg-users at gnupg.org
> 
> Hi
> 
> I think this is an exaggeration.  I have been using MacGPG and the
> GPG Tools support forum for quite some time, and have brought a
> number of issues to their attention, including a couple of security
> related ones, like making their key fingerprints more visible.
> 
> They do care about security and are very responsive to posts on the
> GPG Tools support forum
> 
> http://support.gpgtools.org/
> 
> The GitHub issues page for MacGPG is not the main places where
> issues are raised, it’s actually the support forum, where there are
> lots of other resources as well.
> 
> Sandeep Murthy
> s.murthy at mykolab.com
> 
>> On 16 Feb 2015, at 21:48, Jonathan Schleifer <js-gnupg-users at webkeks.org> wrote:
>> 
>> Hi!
>> 
>> I hereby request that MacGPG gets removed from gnupg.org due to serious security concerns. Basically, the first thing the Makefile in all their repos / tarballs does is this:
>> 
>>       @bash -c "$$(curl -fsSL https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh)"
>> 
>> So you type make not expecting anything bad (you verified the checksum and everything), but you just executed remote code. Great. And they even hide it from you by prefixing it with @, which is downright evil. So you never notice unless you look at the Makefile. Currently, that script clones another common repo using the unverified git:// protocol (because, why use submodules if you can do it in an insecure way?), but obviously, that can change any minute and could change just for certain IPs etc.
>> 
>> The developer(s) don't allow any issues on GitHub, so I tried contacting them by other means (e.g. Twitter), only to get ignored. They clearly don't care about security.
>> 
>> In any case, somebody who does something like this clearly doesn't care about security the least. The potential for backdoors is extremely high and I think nobody should be using any software written by this developer / these developer(s), as they clearly demonstrated that they couldn't care less about your security.
>> 
>> I don't feel comfortable that the majority of Mac users are using this software which doesn't care for security at all, but is used for extremely security sensitive tasks. I guess this is because gnupg.org recommends it and therefore people think it's safe. I think gnupg.org should do the contrary instead and strongly discourage using it.
>> 
>> --
>> Jonathan
>> 
>> 
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150216/7f460fd6/attachment.sig>


More information about the Gnupg-users mailing list