Re: Bug#854797: pinentry-emacs in Debian

To: Lev Lamberov <dogsleg@debian.org>, 854797-done@bugs.debian.org
Cc: debian-emacsen@lists.debian.org
Subject: Re: Bug#854797: pinentry-emacs in Debian
From: Andreas Metzler <ametzler@bebt.de>
Date: Fri, 27 Dec 2024 08:01:47 +0100
Message-id: <[🔎] Z25Q21Jylkiz4AZP@argenau.bebt.de>
In-reply-to: <878thn275y.fsf@riseup.net>
References: <87a8241fvl.fsf@riseup.net> <87o9qk81zr.fsf@tethera.net> <148673317155.10614.3024837519483361317.reportbug@dash.home> <878thn275y.fsf@riseup.net>

On 2017-09-09 Lev Lamberov <dogsleg@debian.org> wrote:
> Сб 09 сен 2017 @ 12:56 David Bremner <david@tethera.net>:
>> Lev Lamberov <dogsleg@debian.org> writes:
>>> I'd like to rise again the reporter concern [0] about availability of
>>> pinentry-emacs in Debian, because I'd be very-very happy to see it
>>> there. The support of pinentry-emacs is required for the pinentry Emacs
>>> pacakge [1]. I've read the thread (and also looked through cited
>>> upstream issues), but was not able to find any conclusion on the issue.

>> I'm not very convinced by the argument (on the upstream bug) that using
>> emacs for pinentry is no riskier than pinentry-gtk2.
>>
>> - the vast majority of emacs users that I interact with use software
>>   from outside elpa.gnu.org, so I don't think any security standards for
>>   elpa (supposing we grant that those are real) provide much
>>   comfort.
>>
>> - I can't evaluate the effectiveness of the various OS level protections
>>   against ptrace, but at least some exist. The emacs memory model is
>>   extremely simple: every "application" has read/write access to every
>>   other "application"'s memory. There might be some clever things that
>>   can be done, but I suspect the very features that make emacs so
>>   extensible mean there are many many attack vectors (how about just
>>   redefining or advising read-passwd?).
>>
>> - Several popular packages for emacs are network facing (e.g. irc
>>   clients). This means that in principle users are exposed to remote
>>   attacks.  Imagine we integrated an IRC client into pinentry-gtk2.

> OK, I see your point and convinced with your argument. Thank you very
> much for your input!

Good morning,

I am now closing this bug report.

Quoting https://dev.gnupg.org/T6909
| pinentry-emacs is obsolete. It's for older Emacs (<= 25, IIUC) which had
| lisp/pinentry.el.  For Emacs 26 and newer, we can simply use
| epa-pinentry-mode having the value of loopback.
| 
| Emacs 26 was released in May 2018. We could drop pinentry-emacs from
| next release of pinentry.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Reply to:

Prev by Date: Processed: Re: Bug#1091462: dh-make-elpa: Use "upstreamvcs" as suggested upstream remote name
Next by Date: Bug#1091462: dh-make-elpa: Use "upstreamvcs" as suggested upstream remote name
Previous by thread: Bug#1091462: marked as done (dh-make-elpa: Use "upstreamvcs" as suggested upstream remote name)
Next by thread: el-mock-el_1.25.1+git20220625.6cfbc9d-1_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread