Please remove MacGPG from due to serious security concerns

Jonathan Schleifer js-gnupg-users at
Tue Feb 17 00:41:51 CET 2015

Am 17.02.2015 um 00:16 schrieb Sandeep Murthy <s.murthy at>:

> I think this is an exaggeration.  I have been using MacGPG and the
> GPG Tools support forum for quite some time, and have brought a
> number of issues to their attention, including a couple of security
> related ones, like making their key fingerprints more visible.

On the one hand, you think it's an exaggeration, on the other, you can list even more examples. I mean, they don't even do the most basic security practices which are common in basically all projects these days, even non-security related projects. And we're talking about a security related project here! If someone clearly demonstrates even lack of the most basic security measures, why should that someone be trusted with way more complex stuff? You listing they had problems in the past basically only strengthens the argument that they are not to be trusted and should not be endorsed.

> They do care about security and are very responsive to posts on the
> GPG Tools support forum

Really? Somebody caring about security executing remote code? Rather than using git submodules (which exist for how many years?), they prefer executing remote code that then downloads more code using an unverified channel. This can't be just laziness (using git submodules is less work), but looks like somebody even put a lot of effort into failing at security. How can you call that "caring about security"? If you'd argue they care a lot about being insecure, I'd agree though, because they actually seem to put a lot of effort into that…


If you are a security project, you should be thankful for people reporting bugs, not trying to make it as hard as possible to report a serious bug. This looks like more of a "users help users" forum kind of thing, nothing where you would want to report a bug.


More information about the Gnupg-users mailing list