Please remove MacGPG from gnupg.org due to serious security concerns

Werner Koch wk at gnupg.org
Tue Feb 17 14:22:32 CET 2015


On Tue, 17 Feb 2015 00:53, hugo at barrera.io said:

> git://github.com...", since any malicious attacker can intercept that
> communication. There's no checksuming or anything to make this difficult *at
> all*.
>
> What *does* suprise me is that there's a commit to specifically remove git+ssh
> in favour of insecure ssh. There's no comment on why that was done either:

[I assume you meant "insecure git"]

I do not think that it matters whether you pull using the git or the ssh
protocol.  In both cases an active attacker can intercept the traffic
easily.  Virtually nobody checks ssh host keys and how should they do it
given that I can't find its fingerprint easily on github.  Thus you would only
see the "host key changed" warning in case this is not the first time
you connected to this github project (I assume they use different host
keys per project). 

After all it is not different from downloading tarballs - only 10 to 20%
of all downloads also download the signature file and for most projects
there is no signature file.

For gnupg.org we assume that users of the repos closely watch out for
conflicts and verify the latest release tag.  If there is a problem that
should be reported to a mailing-list (after verification that it is
really a conflict).

git meanwhile allows to sign commits.  If anyone knows a method to set a
different key for tagging and commits, I would soon start to sign each
commit.  I use a smartcard based key for tagging but won't use that for
regular commits.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list