On 07/10/2016 08:28, Sylvain Viart wrote:
But what about non-programmer user?
I can't tell them to do that, right.
Some time, (often) I don't have time to review the code myself, I need
to trust the system, and free my mind about this issue. For example
running a GNU/Linux distrib + passwordstore, lets say I'm trusting that,
so I can go.
That was more my point. .deb packages are signed and reviewed by some
volunteer, I don't know if the system is perfect or not, but I'm
trusting it.;-)
So the obvious options are:
1. package pass itself as a .deb package, and all the plugins as .deb
packages. Tell the user never to install any software from any other source.
(They will still need to add your apt repository, and its signing key,
but that's a one-off task)
2. Simpler: give the user trusted URLs from where they can download pass
and pass plugins (for example: trusted github accounts). Tell them not
to install from anywhere else.
If you're being extra safe, tell them to checkout a specific commit of
each plugin.
I can't see any way in which adding plugin signatures to pass itself is
helpful. How are you going to choose which signatures to trust? Either
pass is hard-coded with a list of trusted plugin authors, or you have to
add the author keys too. In which case this is no better than either of
the previous options.
There are many worse weaknesses in the system. What's to stop the user
removing the passphrase from their private key? Or decrypting all the
keys from the password repository and leaving them in their /home directory?
_______________________________________________
Password-Store mailing list
[email protected]
http://lists.zx2c4.com/mailman/listinfo/password-store
