concerns about the security reliability of python-gnupg
Hi,
Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.
Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you can see here:
https://security-tracker.debian.org/tracker/source-package/python-gnupg
I'm concerned about the security of this project in general. Even though
that specific instance might be fixed, there are many more bad security
practices used in this project. A fork was created by Isis Agora
Lovecruft to fix those issues:
https://github.com/isislovecruft/python-gnupg/
Those patches were not merged back upstream, which is disputing isis'
claims. The security issues found in the upstream package are partly
documented here:
https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html
I am concerned that fixing only this specific CVE will give users a
false sense of security, as many more similar issues might be lurking in
the code. Having, myself, dealt with writing such a library (lesson
learnt: don't do that), I can confirm it is very hard (if not
impossible) to properly talk with GnuPG in a reasonable way. There is
now a constant flow of vulnerabilities coming out that outline commonly
made mistakes when trying to talk the line dialog with GnuPG. For
example:
https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/
I suspect many such issues could be identified formally in the
python-gnupg package.
But maybe, instead, we should just mark it as unsupported in
debian-security-support and move on. There are few packages depending on
it, in jessie:
Reverse Depends:
Dépend: hash-slinger
Dépend: pyspread
in stretch:
Reverse Depends:
Casse: gnupg (<< 0.3.8-3)
Recommande: python-sleekxmpp
Dépend: pyspread
Dépend: hash-slinger
Dépend: goopg
Dépend: deken
in buster:
Reverse Depends:
Casse: gnupg (<< 0.3.8-3)
Dépend: hash-slinger
Dépend: goopg
Recommande: python-sleekxmpp
Dépend: python-rosbag
Dépend: pyspread
Note that the list is (slowly) growing.
What do people think?
A.
--
L'adversaire d'une vraie liberté est un désir excessif de sécurité.
- Jean de la Fontaine
Reply to: