On 11/13/2014 07:01 AM, Werner Koch wrote: > gpg: Make the use of "--verify FILE" for detached sigs harder.
thanks for doing this, Werner.
> Now waiting which tools or scripts will break. I checked a few
> (including dpkg) and they do the Right Thing.
i'm glad to hear this.
> Shall this be ported to 2.0 and 1.4 and fixes released? I guess yes.
yes, please. This is an important security hardening, and it shouldn't
depend on which branch people are using.
If people have tools that break because of this change, those tools were
probably vulnerable to even worse breakage (silent breakage where things
they thought were validated weren't actually validated), so this is a
valuable fix, even if there's short-term difficulty.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
