Yeah, mailpile has a very unusual architecture, so its no surprise it'll need some unusual tricks. Unusual tricks in software that aims to be secure generally make me nervous since it is important to keep code readable and understandable for both the core devs, but also contributors, auditors, etc.
.hc On Mar 3, 2015, at 4:23 PM, Brian Minton wrote: > It breaks mailpile because gpg-agent is not session aware. A user could > be logged in locally, using mailpile, and a remote attacker could access > the web interface of that locally running mailpile instance, which since > it is talking to the same gpg-agent, would think the remote user is > logged in (or more precisely, has the private key). > > I think that one solution would be to have mailpile use a per-session > gpg home dir. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
