Hi Sylvain,

On Mon, Oct 03, 2016 at 07:20:47AM +0200, Sylvain Viart wrote:
> Le 30/09/2016 à 11:33, Thorsten Wißmann a écrit :
> > if there is an executable pass-clipwiz in the PATH. This does not only
> > fit the usual pass workflow (first show a file, then paste it using
> > clipwiz), but one also gets the tab-completion for custom pass scripts
> > for free.
> 
> Sounds cool!
> 
> See also:
> 
> [pass] Extending pass with user-defined hooks / add ons
> https://lists.zx2c4.com/pipermail/password-store/2015-August/001659.html

I see, thanks! I think the main decision is whether those extensions
should be part of "the password store" (that approach) or of the system
(my approach).

> Does GPG web of trust sure enough, to allow co-signing script to enable
> such signed plugins?

I don't understand your question. But are you asking how my patch could
be extended to call only 'signed' extensions?

If some bad guy has write access to some directory in $PATH and wants to
take over your password store, then the bad guy can simply add a
malicious `pass` executable and the user would not notice.

I.e. I don't think `pass` should do something like signing of program
code. It's some separate problem to check if the programs in your $PATH
are trustworthy or not.

Cheers,
Thorsten

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Password-Store mailing list
Password-Store@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/password-store

Reply via email to