GpgFrontend/gpgme
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

doc: python bindings howto

Browse Source 
* Adjusted the python-gnupg so the comments regarding insecure
  invocation of commands via subprocess (shell=True) were a major
  historical issue and not a a current issue.
* Not including Vinay Sajip's requested change to say it is now secure
  since no audit of the current code base has been performed and my
  last major inspection of that code was around the time I first
  ported PyME to Python 3 in 2015.
This commit is contained in:
Ben McGinnes 2018-03-19 13:09:46 +11:00
parent bf67cf433f
commit 0fb8a5d45c
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
lang/python/docs/GPGMEpythonHOWTOen.org
View File

@ -117,7 +117,11 @@
Unfortunately it has been beset by a number of security issues,
most of which stemmed from using unsafe methods of accessing the
command line via the =subprocess= calls.
command line via the =subprocess= calls. While some effort has
been made over the last two to three years (as of 2018) to
mitigate this, particularly by no longer providing shell access
through those subprocess calls, the wrapper is still somewhat
limited in the scope of its GnuPG features coverage.
The python-gnupg package is available under the MIT license.
@ -132,15 +136,15 @@
package also relied on subprocess to call the =gpg= or =gpg2=
binaries, but did so somewhat more securely.
However the naming and version numbering selected for this package
resulted in conflicts with the original python-gnupg and since its
functions were called in a different manner, the release of this
package also resulted in a great deal of consternation when people
installed what they thought was an upgrade that subsequently broke
the code relying on it.
The naming and version numbering selected for this package,
however, resulted in conflicts with the original python-gnupg and
since its functions were called in a different manner to
python-gnupg, the release of this package also resulted in a great
deal of consternation when people installed what they thought was
an upgrade that subsequently broke the code relying on it.
The gnupg package is available under the GNU General Public
License version 3.0 (or later).
License version 3.0 (or any later version).
*** The PyME package maintained by Martin Albrecht