Please remove MacGPG from gnupg.org due to serious security concerns
Hugo Osvaldo Barrera
hugo at barrera.io
Sun Feb 22 06:52:55 CET 2015
On 2015-02-17 22:32, Lukas Pitschl wrote:
> Hi all,
>
> <snip>
>
> The code that checks out our GPGTools_Core repository is pretty old already and it’s certainly a stupid way to do it.
> At the time we assumed that it was safe to check it out via ssl from github, since curl would refuse to do so if there was a certificate error. Passing it directly to bash is definitely a bad idea.
> We’ve discussed this internally and decided on removing the automated checkout completely.
> By making it a manual task, everyone can checkout the code and verify that it’s in fact the code they wanted to checkout.
> We will also look through our build system and check for similar code if there is.
>
> <snip>
Hi,
How about working using the github flow[1][2] instead of commiting straight to
master?
This would force at least *one* other dev to quickly code-review anything
making it into the master branch. It's not incredibly burdensome, but it adds a
second pair of eyes to every line - something quite valueable in a security
proyect, IMHO.
Just my two cents,
[1]: https://guides.github.com/introduction/flow/index.html
[2]: http://scottchacon.com/2011/08/31/github-flow.html
--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20150222/1fbb865d/attachment.sig>
More information about the Gnupg-users
mailing list