Please remove MacGPG from gnupg.org due to serious security concerns
js-gnupg-users at webkeks.org
Wed Feb 18 12:21:43 CET 2015
Am 17.02.2015 um 22:32 schrieb Lukas Pitschl <lukele at gpgtools.org>:
> The best way to reach us is either our support platform at https://gpgtools.tenderapp.com or team at gpgtools.org.
When I tried contacting you guys a little more than a month ago, there was no e-mail to be found on the website. Only a support forum that sounded like "Users helping users" (so I didn't want to report the bug there) and a Twitter, which I then used. Can you please make sure it's easy to find that mail address?
> The code that checks out our GPGTools_Core repository is pretty old already and it’s certainly a stupid way to do it.
It's not so much about age, but about what thought process came to the conclusion that this might be a good idea. This is a security project, so every change done should be done with thoroughly thinking about the security implications that change might have. This was clearly not done here, and IMHO downloading and executing remote code without any verification is unforgivable for a security project.
> At the time we assumed that it was safe to check it out via ssl from github, since curl would refuse to do so if there was a certificate error.
This entirely depends on the certification store curl has and the configuration. Granted, the defaults on OS X are sane. But still, this relies completely on GitHub not being compromised. And it was only quite recently that someone managed to get write access to repos due to a bug in GitHub. How can someone blindly trust and rely on a service they can neither control nor audit for the security of their users in a security project? This is just extremely irresponsible.
And even worse: Why did you decide to hide what is going on by prefixing it with a @? This really feels like you are trying to deceit users, hiding from them that they execute remote code that you could change at any moment. Worse yet, you could later on switch it back and nobody would notice. This feels a lot like a hidden backdoor to me.
> we will only charge a fee for GPGMail, the rest of GPG Suite will remain free.
Actually, I'm all for you charging a fee. That will create enough pressure for a fork that will then hopefully have better security practices.
More information about the Gnupg-users