gpa and gnupg 1.0.7
Werner Koch
wk@gnupg.org
Fri May 10 18:25:01 2002
Hi!
Today I received a small security patch for gpa (unsafe usage of /tmp
but only exploitable with GPGME_DEBUG set) and so I had a look into
the 0.5.0 source.
GPA will have major problems with any GnuPG version newer than 1.0.6
because it still uses canned reponses to automate the --edit-key
menu. This does only work for the very standard keys but not for any
keys with extra properties. 1.0.7 has a couple of extra prompts to
improve OpenPGP support.
So there is an immediate need to fix these things by using the
--status-fd/command-fd interface instead of the the canned responses.
We might even want to take this as an opportunity to migrate towards
gpgme for easier maintenance in the future.
Now for the silly question: Any volunteers?
Werner