Hi, Le 04/10/2016 à 07:40, Brian Candler a écrit : > On 04/10/2016 05:45, Sylvain Viart wrote: >> Pass itself could be signed. By the user at init. > But why? Do you have a version of Linux which only executes signed > scripts/binaries? No, just an idea to share about. It could be a bad idea, of course… And also because web of trust is interesting me. :-)
Not only signed scripts. > As for the admin being tricked into installing a malicious plugin - > what's the difference between that and installing a malicious version > of 'pass' itself? > > The only protection for 'pass' is installing it from a trusted > location, and/or verifying the code by eye. Surely the same applies to > plugins? You're right of course. But what about non-programmer user? I can't tell them to do that, right. Some time, (often) I don't have time to review the code myself, I need to trust the system, and free my mind about this issue. For example running a GNU/Linux distrib + passwordstore, lets say I'm trusting that, so I can go. That was more my point. .deb packages are signed and reviewed by some volunteer, I don't know if the system is perfect or not, but I'm trusting it. ;-) Sylvain. -- Sylvain Viart - DevOps système linux - freelance developer
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
