Re: Bug#903815: ITP: pw -- A simple command-line password manager

To: debian-devel@lists.debian.org, 903815@bugs.debian.org
Subject: Re: Bug#903815: ITP: pw -- A simple command-line password manager
From: Roberto C. Sánchez <roberto@debian.org>
Date: Mon, 16 Jul 2018 09:36:51 -0400
Message-id: <[🔎] 20180716133651.glfo5nhdelanehcg@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-devel@lists.debian.org, 903815@bugs.debian.org
In-reply-to: <[🔎] CAMucfLwJe8BFs-eKfR73uaxgWnXNhn4R-GhXLfsqgQw3UNTPFQ@mail.gmail.com>
References: <[🔎] 20180715084224.5kzlh4mfiy7z4qzc@dashamir> <[🔎] ac0827e2-5469-a1c9-da89-b4ebaf9e458d@debian.org> <[🔎] CAMucfLwG=K==qDgv+Rt56LHAFjyW+J=sfqzE8nv7QHx6guvRRg@mail.gmail.com> <[🔎] 20180715214716.GE17764@espresso.pseudorandom.co.uk> <[🔎] CAMucfLw1zSgvOQ4oeDHTW-3R+SL6GmYvCsNpDS35fGT8gm=cjA@mail.gmail.com> <[🔎] 886d9977-0814-11f0-f2f3-cca8de5cbad6@debian.org> <[🔎] CAMucfLwJe8BFs-eKfR73uaxgWnXNhn4R-GhXLfsqgQw3UNTPFQ@mail.gmail.com>

On Mon, Jul 16, 2018 at 03:14:20PM +0200, Dashamir Hoxha wrote:
>    On Mon, Jul 16, 2018 at 2:16 PM Philipp Kern <[1]pkern@debian.org> wrote:
> 
>      This clearly writes the unencrypted tarball out to disk.
> 
>    It writes to `/dev/shm` which is not disk.

That is not a valid assumption.  You have no way of knowing the device
behind /dev/shm.

> It writes to a random
>    temporary directory, so that it cannot be guessed. It removes
>    the unencrypted content as soon as the operation is performed.

Unless the operation is atomic there is a possibility it can be
interrupted.

>    All this happens almost instantly, it never stays unencrypted
>    for a long time.

Ibid.

> It is almost the same thing as using a pipe (|).
>    What is wrong here?

It is not the same thing and it is based on several invalid/flawed
assumptions.

> I have been using it for 2-3 years and
>    never had a problem.
> 

That doesn't make it correct code.  I spend most of my day in code bases
authored by other people.  I consistently find bugs that have been in
production, unreported, for 10 or more years.  A bug is still a bug when
it is found and identified, even if it has never manifested itself in
the real world.  If you doubt that, please review the recent news
surrounding the SPECTRE and MELTDOWN vulnerabilities.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

References:
- Bug#903815: ITP: pw -- A simple command-line password manager
  - From: Dashamir Hoxha <dashohoxha@gmail.com>
- Re: Bug#903815: ITP: pw -- A simple command-line password manager
  - From: Philipp Kern <pkern@debian.org>
- Re: Bug#903815: ITP: pw -- A simple command-line password manager
  - From: Dashamir Hoxha <dashohoxha@gmail.com>
- Re: Bug#903815: ITP: pw -- A simple command-line password manager
  - From: Simon McVittie <smcv@debian.org>
- Re: Bug#903815: ITP: pw -- A simple command-line password manager
  - From: Dashamir Hoxha <dashohoxha@gmail.com>
- Re: Bug#903815: ITP: pw -- A simple command-line password manager
  - From: Philipp Kern <pkern@debian.org>
- Re: Bug#903815: ITP: pw -- A simple command-line password manager
  - From: Dashamir Hoxha <dashohoxha@gmail.com>

Prev by Date: Re: Bug#903815: ITP: pw -- A simple command-line password manager
Next by Date: Re: Bug#903815: ITP: pw -- A simple command-line password manager
Previous by thread: Re: Bug#903815: ITP: pw -- A simple command-line password manager
Next by thread: Re: Bug#903815: ITP: pw -- A simple command-line password manager
Index(es):
- Date
- Thread