Please remove MacGPG from gnupg.org due to serious security concerns

Martin Paljak martin at martinpaljak.net
Tue Feb 17 17:31:18 CET 2015


On Tue, Feb 17, 2015 at 6:00 PM, Ville Määttä
<mailing-lists at asatiifm.net> wrote:
> Instead they should use upstream and contribute the minimal amount of wrappers or fixes upstream. Case in point: Has the fix for gpg-agent / scdaemon hang been discussed upstream at all [4], [5]? In MacGPG there is still ../libexec/gnupg-pcsc-wrapper which has been modified in commit f4c3e1bb to fix the issues of scdaemon hanging in Yosemite [6]. GnuPG proper has removed it in bc6b45 [7]. How would one go about fixing this issue for upstream? Has GPGTools contributed anything regarding this other than the initial discussion[8] about the issue? Upstream still does have the issue which now seems to have been fixed in the fork but in a binary removed from upstream…


Not sure about overall GnuPG affection with Apple or other closed
source software, but the PC/SC layer in Yosemite is broken (again):

http://ludovicrousseau.blogspot.fr/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html

Generally speaking, I think the GPGTools folks care about "usage for
dumbusers" which means making stuff Work(tm) for the not-so-powerusers
on a not-so-great platform. It is the users's choice to use OSX (not
Linux), the same way it is their choice to use Mail.app (not Enigmail)
the same way it is their choice to use a simple to use binary
installer with crappy build machinery instead of verifying the
checksums of every download.

> So, *"official website for gpg on OS X"* according to this user critical of making discontinuation of a free version.

GnuPG just got a huge sum of money, I'm sure arrangements can be made
to allocate some of that for a easy to use and *free* OSX version with
an integrated GUI ?

> Another: GPGTools support site has a certificate mismatch [14]. WTF is a *.tenderapp.com cert doing here?

Because that site is run by Tender and if you connect to the https
version, you get their site? Probably makes sense to bug Tender with
this.


So, generally speaking: if the upstream has not catered to the OSX
folks and somebody on the internet has, I would not blame GPGTools
guys for doing it. Yes, it would be nice if one at least tried to
contribute back to upstream and to work in an open manner, but at
least they DO something, for what there is apparent need.

Martin



More information about the Gnupg-users mailing list