Hi Sylvain, On Mon, Oct 03, 2016 at 07:20:47AM +0200, Sylvain Viart wrote: > Le 30/09/2016 à 11:33, Thorsten Wißmann a écrit : > > if there is an executable pass-clipwiz in the PATH. This does not only > > fit the usual pass workflow (first show a file, then paste it using > > clipwiz), but one also gets the tab-completion for custom pass scripts > > for free. > > Sounds cool! > > See also: > > [pass] Extending pass with user-defined hooks / add ons > https://lists.zx2c4.com/pipermail/password-store/2015-August/001659.html
I see, thanks! I think the main decision is whether those extensions should be part of "the password store" (that approach) or of the system (my approach). > Does GPG web of trust sure enough, to allow co-signing script to enable > such signed plugins? I don't understand your question. But are you asking how my patch could be extended to call only 'signed' extensions? If some bad guy has write access to some directory in $PATH and wants to take over your password store, then the bad guy can simply add a malicious `pass` executable and the user would not notice. I.e. I don't think `pass` should do something like signing of program code. It's some separate problem to check if the programs in your $PATH are trustworthy or not. Cheers, Thorsten
signature.asc
Description: PGP signature
_______________________________________________ Password-Store mailing list Password-Store@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/password-store