> Why exactly should shell=True be necessary? It turns out that shell=True (basically what started the fork) is not needed now. Vinay changed it in the latest release of the "original" python gnupg, which came after a bunch of CVEs and some comments in this thread as a result of python-gnupg-ng: http://seclists.org/oss-sec/2014/q1/303
The original reason for doing shell=True is/was commented on python-gnupg (original) code: without that, it didn't work in windows. So while it is true that Shell=True is not needed, python-gnupg-ng has other advantages: its more community based (it has a bugtracker and public repo, to begin with), the code has diverged from the original a bit in adding various gnupg functionality to the module, re-reading of the original having security and documentation in minde and improving the overall code quality. I'd argue that including this in Debian is a win because this one has: * Better gnupg options parsing * Better code structure. * Better documentation. * Open repo and bugtracker. Also - we have a package ready to upload for it.
pgp61lMNubroM.pgp
Description: PGP signature