Please remove MacGPG from gnupg.org due to serious security concerns

steve steve at openmailbox.org
Fri Sep 11 13:20:47 CEST 2015


Dear all,

any bug reports should be filed on our support platform at https://gpgtools.tenderapp.com <https://gpgtools.tenderapp.com/>. For highly sensitive inquiries you can always get in touch at team at gpgtools.org <mailto:team at gpgtools.org> - our public key is on our homepage, bottom left, and has fingerprint 85E3 8F69 046B 44C1 EC9F  B07B 76D7 8F05 00D0 26C4.

The source in question is on GitHub at https://github.com/GPGTools/localizeXIB <https://github.com/GPGTools/localizeXIB> and the binary is no longer required to compile pinentry-mac.

Kind regards,
steve (GPGTools)


> Am 23.08.2015 um 14:28 schrieb Jonathan Schleifer <js-gnupg-users at webkeks.org>:
> 
> Sorry for reviving this old thread. But since you guys still don't accept bug reports (why?!)…
> 
> I'm not sure whether this is better or worse than the old situation, but now you include an unsigned binary in your tree that is executed as part of the build process. Nowhere can be found what this binary does or from which sources it has been built. This is at least as bad as executing remove code. Can you please explain why you do this, or why you thought this would be a good idea after that long discussion on how important security is for a security product?
> 
> --
> Jonathan
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150911/0a68e79a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 831 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150911/0a68e79a/attachment.sig>


More information about the Gnupg-users mailing list