Paulo Roberto Alves de Oliveira (aka kretcheu) dijo [Fri, Nov 13, 2015 at 02:03:05PM -0200]: > * Package name : pidgin-gpg > Version : 0.9 > Upstream Author : Alexander.Murauer.<segler_alex@web.de> > * URL : https://github.com/segler-alex/Pidgin-GPG > * License : GPL-3 > Programming Lang: C > Description : OpenPGP plugin for Pidgin > > pidgin-gpg is a plugin for the Pidgin instant messaging program which enables > it to communicate with Jabber/XMPP peers in an encrypted manner using the > OpenPGP standard, which is understood by other clients, such as centericq, > gajim, kopete and mcabber. > > Another package (pidgin-openpgp) intent to do the same think but not working > anymore. This has me a bit at unease. I don't know precisely how this plugin works, what its UI is, or many, many other details... But: OpenPGP key pairs are a very valuable asset for many of us. Of course, those of us participating in the Debian project as DDs or DMs (or those interested in joining) hold them in high value as they are our main means of identification for the project. And there are many "best practices", not all of them we all follow (i.e. I'd like to use a smartcard for my keys, but I don't), but we expect all parties to excercise a minimum common degree of care. So, we take care to avoid storing our key pairs in computers directly-connected to the Internet. We avoid keeping the key material in "live" memory besides their ephimeral use. And what I feel most important in this regard: GPG keys use cases are usually restricted to signing documents/items, not for encrypting whole communication sessions. That is, in order to send this mail, I will input my key passphrase. And according to my mail client configuration, the key passphrase will be forgotten after a 5 minute interval. If I add pidgin-gpg to my Pidgin, I will (probably - Again, depends on the details of implementation) have: - Key material in memory for the whole duration of my Pidgin session (which in my case means "always") - Together with its passphrase (if it aims at not being obnoxious and asking for it over and over and over and over) - In a network-connected and network-activated program - In a fine piece of software, but one that has not been audited for security and lists tens of security advisories for the last few years, some of them leading to information leaks: https://www.pidgin.im/news/security/ - And for an application that already has a strong, different model for session encryption, better suited for full-session handling: OTR. So... If you believe I'm mistaken on this, please go ahead. But do consider the liabilities this brings to our users!
Attachment:
signature.asc
Description: Digital signature