Re: [gpg-agent] Empty OPTION xauthority=

Sun, 03 Mar 2024 12:09:06 -0800 

On Sun Mar 3, 2024 at 10:05 AM CET, Werner Koch wrote:
> > am running it on host with systemd --user services (configuration
>
> Take care, the use of systemd is racy and support will be removed in
> 2.6.

1. Could you please explain why it is racy? Why from all services
   only gpg is unsuitable for systemd treatment? It is just one
   socket as any other, isn’t it? Could you point to some issue
   ticket, email thread, blog post explaining the problem?
2. When running on MicroOS system (or Fedora Atomic) how could
   you guarantee that there is only one gpg-agent and gpg
   doesn't try to run it inside of a container, thus making it
   inacessible to other containers on the system (Flatpak or
   podman) and to the host system? I don't see any other solution
   than running permanently one gpg-agent on the host system open
   to everybody, which systemd --user service seems to provide
   nicely.

> gpg takes the value for xauthority from the envvar XAUTHORITY.  In your
> case it seems that this envvar is set to the empty string which results
> in the above synax error.  Using xauthority without a value and thus
> without the '=' removes the value from gpg-agent's environment.

Yes, thank you for kicking me in the right
direction, I found a bug in distrobox
(https://github.com/89luca89/distrobox/pull/1252).

> In theory it would be possible to ignore the empty string but given that
> we have the code this way for 20 year the risk of a regression is to
> high.

What? You know there is a vulnerability in gpg (actually,
couldn't the particularly modified environment be abused for some
DoD style attack?) and you don't want to fix it, because you had
that bug there long enough? I probably do not understand what you
were trying to say.

> Please figure out why XAUTHORITY is set to the empty sting.
> XAUTHORITY is only needed if you don't use ~/.Xauthority to store the
> X11 magic cookies; see xauth(1).

I have Wayland-only system (based on sway), so whole XAUTH*
variables are nonsensical here.

Best,

Matěj

-- 
http://matej.ceplovi.cz/blog/, @mcepl@floss.social
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8
 
Monday, December 9th. We skip the bus tour of Stockholm to attend
the economics lecture. Our guest status is again good for front
row seats.  We hear about the theory of auctions. There are
integrals and derivatives. It’s like physics except physics
works.

Attachment: E09FEF25D96484AC.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to