Please remove MacGPG from gnupg.org due to serious security concerns

Ville Määttä mailing-lists at asatiifm.net
Tue Feb 17 20:30:21 CET 2015 

> On 17 Feb 2015, at 18:31, Martin Paljak <martin at martinpaljak.net> wrote:
> 
> Not sure about overall GnuPG affection with Apple or other closed
> source software, but the PC/SC layer in Yosemite is broken (again):
> 
> http://ludovicrousseau.blogspot.fr/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html

Yeah, Apple has once again moved things around and even seemingly reimplemented some things for no apparent reason. Hard to know why because Apple doesn’t talk much about their plans with the outside world. Ludovic has been doing a great job of finding and reporting issues to Apple.

> …for the not-so-powerusers
> on a not-so-great platform. It is the users's choice to use OSX (not
> Linux), the same way it is their choice to use Mail.app (not Enigmail)
> the same way it is their choice to use a simple to use binary
> installer with crappy build machinery instead of verifying the
> checksums of every download.

You’re letting your hate shine bright. Haters gonna hate.

>> Another: GPGTools support site has a certificate mismatch [14]. WTF is a *.tenderapp.com cert doing here?
> 
> Because that site is run by Tender and if you connect to the https
> version, you get their site? Probably makes sense to bug Tender with
> this.

GPGTools is very much responsible for where their site is hosted and the proper use of such things as certificates. In the scheme of things the actual hosting issue is probably quite small but one could say that *GPGTools has not planned for the use of HTTPS on their support site at all*.

> So, generally speaking: if the upstream has not catered to the OSX
> folks and somebody on the internet has, I would not blame GPGTools
> guys for doing it.

That makes no sense.

> Yes, it would be nice if one at least tried to
> contribute back to upstream and to work in an open manner, but at
> least they DO something, for what there is apparent need.

Nothing requires GPGTools to contribute their code changes back upstream but licensing does require the source to be available. There was a period when this licence requirement was not adhered to. Fortunately, as I said, it was momentary and at the moment as far as I know they have merged back to the public repository.

-- 
Ville

More information about the Gnupg-users mailing list