Fwd: Please remove MacGPG from gnupg.org due to serious security concerns

Sandeep Murthy s.murthy at mykolab.com
Tue Feb 17 20:58:10 CET 2015


I would also add that if you agree that more people should
be using encryption in more forms then the way to go is
to make it more more usable and user friendly (and at the
moment the standard GnuPG version can’t exactly be described as
that) then this is not an aspiration that should be described
as dumb.  What is probably dumb is the kind of purist attitude
about the perfect Linux platform and how great it is to have
the perfect GnuPG set up.

I would bet that more people who’ve used tools like GPG Suite
have taken up encryption than those exposed to the command
line subtleties of GnuPG.  Both can be used at the same time,
as I do, you don’t have to choose between them.

Sandeep Murthy
s.murthy at mykolab.com

> Begin forwarded message:
> 
> Subject: Re: Please remove MacGPG from gnupg.org due to serious security concerns
> From: Sandeep Murthy <s.murthy at mykolab.com>
> Date: 17 February 2015 19:03:30 GMT
> Cc: Martin Paljak <martin at martinpaljak.net>
> To: gnupg-users at gnupg.org
> 
> I suppose if you were conceited enough to describe yourself
> as a “power user” then you might be dumb enough to think
> that people who use GPG Suite are “dumb users”.
> 
> Platform fanatics and those make an easy job of caricaturing
> themselves in their fanaticism for a “pure setup”, which is an
> illusion.  In the real world every system can be compromised
> and no can have such a setup, no matter how hard you try.
> 
> You don’t have to choose between OS X and Linux, there are
> lots of people who use both.
> 
> I have both GnuPG and GPG Suite, and I use both when I have
> to.  As a user, not a developer on MacGPG, the issues previously
> raised here about the remote execution of scripts etc. may be
> questionable, but they do not directly affect my use of the software,
> which is nothing but a front end for GnuPG.
> 
> The GPG plug-in for Apple Mail is not without its shortcomings but
> it is incredibly easy to use and works well the other components
> of the GPG suite.  I have not used Enigmail, but it’s simply a
> question of choice.
> 
> Sandeep Murthy
> s.murthy at mykolab.com
> 
>> On 17 Feb 2015, at 16:31, Martin Paljak <martin at martinpaljak.net> wrote:
>> 
>> On Tue, Feb 17, 2015 at 6:00 PM, Ville Määttä
>> <mailing-lists at asatiifm.net> wrote:
>>> Instead they should use upstream and contribute the minimal amount of wrappers or fixes upstream. Case in point: Has the fix for gpg-agent / scdaemon hang been discussed upstream at all [4], [5]? In MacGPG there is still ../libexec/gnupg-pcsc-wrapper which has been modified in commit f4c3e1bb to fix the issues of scdaemon hanging in Yosemite [6]. GnuPG proper has removed it in bc6b45 [7]. How would one go about fixing this issue for upstream? Has GPGTools contributed anything regarding this other than the initial discussion[8] about the issue? Upstream still does have the issue which now seems to have been fixed in the fork but in a binary removed from upstream…
>> 
>> 
>> Not sure about overall GnuPG affection with Apple or other closed
>> source software, but the PC/SC layer in Yosemite is broken (again):
>> 
>> http://ludovicrousseau.blogspot.fr/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html
>> 
>> Generally speaking, I think the GPGTools folks care about "usage for
>> dumbusers" which means making stuff Work(tm) for the not-so-powerusers
>> on a not-so-great platform. It is the users's choice to use OSX (not
>> Linux), the same way it is their choice to use Mail.app (not Enigmail)
>> the same way it is their choice to use a simple to use binary
>> installer with crappy build machinery instead of verifying the
>> checksums of every download.
>> 
>>> So, *"official website for gpg on OS X"* according to this user critical of making discontinuation of a free version.
>> 
>> GnuPG just got a huge sum of money, I'm sure arrangements can be made
>> to allocate some of that for a easy to use and *free* OSX version with
>> an integrated GUI ?
>> 
>>> Another: GPGTools support site has a certificate mismatch [14]. WTF is a *.tenderapp.com cert doing here?
>> 
>> Because that site is run by Tender and if you connect to the https
>> version, you get their site? Probably makes sense to bug Tender with
>> this.
>> 
>> 
>> So, generally speaking: if the upstream has not catered to the OSX
>> folks and somebody on the internet has, I would not blame GPGTools
>> guys for doing it. Yes, it would be nice if one at least tried to
>> contribute back to upstream and to work in an open manner, but at
>> least they DO something, for what there is apparent need.
>> 
>> Martin
>> 
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150217/127dea77/attachment.sig>


More information about the Gnupg-users mailing list