Hi!
I hereby request that MacGPG gets removed from gnupg.org due to serious
security concerns. Basically, the first thing the Makefile in all their repos /
tarballs does is this:
@bash -c "$$(curl -fsSL
https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh)"
So you type make not expecting anything bad (you verified the checksum and
everything), but you just executed remote code. Great. And they even hide it
from you by prefixing it with @, which is downright evil. So you never notice
unless you look at the Makefile. Currently, that script clones another common
repo using the unverified git:// protocol (because, why use submodules if you
can do it in an insecure way?), but obviously, that can change any minute and
could change just for certain IPs etc.
The developer(s) don't allow any issues on GitHub, so I tried contacting them
by other means (e.g. Twitter), only to get ignored. They clearly don't care
about security.
In any case, somebody who does something like this clearly doesn't care about
security the least. The potential for backdoors is extremely high and I think
nobody should be using any software written by this developer / these
developer(s), as they clearly demonstrated that they couldn't care less about
your security.
I don't feel comfortable that the majority of Mac users are using this software
which doesn't care for security at all, but is used for extremely security
sensitive tasks. I guess this is because gnupg.org recommends it and therefore
people think it's safe. I think gnupg.org should do the contrary instead and
strongly discourage using it.
--
Jonathan
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
