Beware of leftover gpg-agent processes (was: Re: Changes for GnuPG in debian)

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Johannes Schauer writes ("Beware of leftover gpg-agent processes (was: Re: Changes for GnuPG in debian)"):

> Quoting Daniel Kahn Gillmor (2016-08-04 18:29:03)
> > One of the main differences is that all access to your secret key
> > will be handled through gpg-agent, which should be automatically
> > launched as needed.
> 
> it might be important to note that gpg launching this gpg-agent
> process is not optional and that it will automatically be launched
> and continue running in the background for many gpg operations.

This is rather alarming.  As a longtime gpg1 user I hadn't appreciated
this.

Could we not have gpg2 not only automatically launch the agent, but
also automatically terminate it.  This would provide the same UI and
same persistence properties as gpg1.

I don't think a general change to a timeout-based persistence model is
a good idea in itself; and of course there are the practical problems
Johannes mentions.

Ian.