From 0fb8a5d45c1c77a5928d6e356271da055aa55994 Mon Sep 17 00:00:00 2001 From: Ben McGinnes Date: Mon, 19 Mar 2018 13:09:46 +1100 Subject: [PATCH] doc: python bindings howto * Adjusted the python-gnupg so the comments regarding insecure invocation of commands via subprocess (shell=True) were a major historical issue and not a a current issue. * Not including Vinay Sajip's requested change to say it is now secure since no audit of the current code base has been performed and my last major inspection of that code was around the time I first ported PyME to Python 3 in 2015. --- lang/python/docs/GPGMEpythonHOWTOen.org | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lang/python/docs/GPGMEpythonHOWTOen.org b/lang/python/docs/GPGMEpythonHOWTOen.org index f5192f4c..4a215544 100644 --- a/lang/python/docs/GPGMEpythonHOWTOen.org +++ b/lang/python/docs/GPGMEpythonHOWTOen.org @@ -117,7 +117,11 @@ Unfortunately it has been beset by a number of security issues, most of which stemmed from using unsafe methods of accessing the - command line via the =subprocess= calls. + command line via the =subprocess= calls. While some effort has + been made over the last two to three years (as of 2018) to + mitigate this, particularly by no longer providing shell access + through those subprocess calls, the wrapper is still somewhat + limited in the scope of its GnuPG features coverage. The python-gnupg package is available under the MIT license. @@ -132,15 +136,15 @@ package also relied on subprocess to call the =gpg= or =gpg2= binaries, but did so somewhat more securely. - However the naming and version numbering selected for this package - resulted in conflicts with the original python-gnupg and since its - functions were called in a different manner, the release of this - package also resulted in a great deal of consternation when people - installed what they thought was an upgrade that subsequently broke - the code relying on it. + The naming and version numbering selected for this package, + however, resulted in conflicts with the original python-gnupg and + since its functions were called in a different manner to + python-gnupg, the release of this package also resulted in a great + deal of consternation when people installed what they thought was + an upgrade that subsequently broke the code relying on it. The gnupg package is available under the GNU General Public - License version 3.0 (or later). + License version 3.0 (or any later version). *** The PyME package maintained by Martin Albrecht