Please remove MacGPG from due to serious security concerns

Jonathan Schleifer js-gnupg-users at
Tue Feb 17 11:01:52 CET 2015

Am 17.02.2015 um 07:53 schrieb Sandeep Murthy <s.murthy at>:

>> I'm guessing because you need an SSH key at GitHub in order to pull via SSH. Yet another problem solved by git modules.
>> Still, they could have at least changed it to https.
> GitHub supports pull/push via SSH or HTTPS therefore you can do this to with MacGPG (2)
> or any GitHub repo.

Well, for SSH, you need a key, but for HTTPS, you don't, so they could have used that. However, git submodules solve the problem completely, as you can use relative paths. So it uses whatever you used to check out the initial repo.

> There must be lots of MacGPG users and most of them probably use the GPG
> suite, because it is GUI based (also more user friendly, unlike GnuPG) and it
> would not be fair on them to unilaterally remove the link to GnuPG or to receive
> some kind of security warning without raising the issues you mention with
> the people who are actively developing and maintaining the source.

I disagree. The developers are not capable of writing secure software, as demonstrated (several times even, it seems). It would be best to advise to never use that at all and then write new software, if there's demand for it. It's sometimes better to not use something than to use something untrustworthy. For security products, this is especially true.


More information about the Gnupg-users mailing list