Please remove MacGPG from due to serious security concerns

Werner Koch wk at
Tue Feb 17 14:31:29 CET 2015

On Mon, 16 Feb 2015 22:48, js-gnupg-users at said:

>         @bash -c "$$(curl -fsSL"

Bad idea to directly run code from a foreign remote site.  I'd
appreciate if someone from can comment on this.

GnuPG's speedo build system also downloads stuff via the Makefile but it
verifies the checksums before proceeding. The checksums are taken from a
public file which has a detached signature and the public key for that
is one of the GnuPG release signing keys.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list