Please remove MacGPG from gnupg.org due to serious security concerns

Tue Feb 17 20:03:30 CET 2015

I suppose if you were conceited enough to describe yourself
as a “power user” then you might be dumb enough to think
that people who use GPG Suite are “dumb users”.

Platform fanatics and those make an easy job of caricaturing
themselves in their fanaticism for a “pure setup”, which is an
illusion.  In the real world every system can be compromised
and no can have such a setup, no matter how hard you try.

You don’t have to choose between OS X and Linux, there are
lots of people who use both.

I have both GnuPG and GPG Suite, and I use both when I have
to.  As a user, not a developer on MacGPG, the issues previously
raised here about the remote execution of scripts etc. may be
questionable, but they do not directly affect my use of the software,
which is nothing but a front end for GnuPG.

The GPG plug-in for Apple Mail is not without its shortcomings but
it is incredibly easy to use and works well the other components
of the GPG suite.  I have not used Enigmail, but it’s simply a
question of choice.

Sandeep Murthy
s.murthy at mykolab.com

> On 17 Feb 2015, at 16:31, Martin Paljak <martin at martinpaljak.net> wrote:
> 
> On Tue, Feb 17, 2015 at 6:00 PM, Ville Määttä
> <mailing-lists at asatiifm.net> wrote:
>> Instead they should use upstream and contribute the minimal amount of wrappers or fixes upstream. Case in point: Has the fix for gpg-agent / scdaemon hang been discussed upstream at all [4], [5]? In MacGPG there is still ../libexec/gnupg-pcsc-wrapper which has been modified in commit f4c3e1bb to fix the issues of scdaemon hanging in Yosemite [6]. GnuPG proper has removed it in bc6b45 [7]. How would one go about fixing this issue for upstream? Has GPGTools contributed anything regarding this other than the initial discussion[8] about the issue? Upstream still does have the issue which now seems to have been fixed in the fork but in a binary removed from upstream…
> 
> 
> Not sure about overall GnuPG affection with Apple or other closed
> source software, but the PC/SC layer in Yosemite is broken (again):
> 
> http://ludovicrousseau.blogspot.fr/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html
> 
> Generally speaking, I think the GPGTools folks care about "usage for
> dumbusers" which means making stuff Work(tm) for the not-so-powerusers
> on a not-so-great platform. It is the users's choice to use OSX (not
> Linux), the same way it is their choice to use Mail.app (not Enigmail)
> the same way it is their choice to use a simple to use binary
> installer with crappy build machinery instead of verifying the
> checksums of every download.
> 
>> So, *"official website for gpg on OS X"* according to this user critical of making discontinuation of a free version.
> 
> GnuPG just got a huge sum of money, I'm sure arrangements can be made
> to allocate some of that for a easy to use and *free* OSX version with
> an integrated GUI ?
> 
>> Another: GPGTools support site has a certificate mismatch [14]. WTF is a *.tenderapp.com cert doing here?
> 
> Because that site is run by Tender and if you connect to the https
> version, you get their site? Probably makes sense to bug Tender with
> this.
> 
> 
> So, generally speaking: if the upstream has not catered to the OSX
> folks and somebody on the internet has, I would not blame GPGTools
> guys for doing it. Yes, it would be nice if one at least tried to
> contribute back to upstream and to work in an open manner, but at
> least they DO something, for what there is apparent need.
> 
> Martin
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150217/b3d27dae/attachment.sig>