GNU bug report logs - #29906
27.0.50; Emacs prompts for passwords in GUI dialog instead of minibuffer

Previous Next

Package: emacs;

Reported by: nljlistbox2 <at> gmail.com (N. Jackson)

Date: Sat, 30 Dec 2017 02:13:02 UTC

Severity: minor

Tags: notabug

Found in version 27.0.50

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

Full log

Message #17 received at 29906 <at> debbugs.gnu.org (full text, mbox):

From: Daiki Ueno <ueno <at> gnu.org>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: "N. Jackson" <nljlistbox2 <at> gmail.com>, 29906 <at> debbugs.gnu.org
Subject: Re: bug#29906: 27.0.50;
 Emacs prompts for passwords in GUI dialog instead of minibuffer
Date: Sat, 30 Dec 2017 21:13:04 +0100

Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: nljlistbox2 <at> gmail.com (N. Jackson)
>> Cc: 29906 <at> debbugs.gnu.org
>> Date: Sat, 30 Dec 2017 10:54:31 -0500
>> 
>> At 10:19 +0200 on Saturday 2017-12-30, Eli Zaretskii wrote:
>> >
>> > Does this NEWS.26 entry help?
>> >
>> >   ** The pinentry.el library has been removed.
>> >   That package (and the corresponding change in GnuPG and pinentry)
>> >   was intended to provide a way to input passphrase through Emacs with
>> >   GnuPG 2.0.  However, the change to support that was only implemented
>> >   in GnuPG >= 2.1 and didn't get backported to GnuPG 2.0.  And with
>> >   GnuPG 2.1 and later, pinentry.el is not needed at all.  So the
>> >   library was useless, and we removed it.  GnuPG 2.0 is no longer
>> >   supported by the upstream project.
>> >
>> >   To adapt to the change, you may need to set 'epa-pinentry-mode' to the
>> >   symbol 'loopback'.

I wasn't aware of this entry.  Would it really make sense, given that
pinentry.el was a new library introduced in Emacs 26?

>> Yes, that does help, thank you. I should have checked the news.
>> 
>> It doesn't help me decide what to do though. Do you know if using
>> the prompt in the minibuffer (using `loopback') is thought to be
>> less secure than using the external pinentry program?
>
> I don't know enough about this to tell.  Daiki, any inputs?

I would say it's provides the same level of security as pinentry-gtk,
which no longer uses secmem these days.

It's unfortunate that one of the GnuPG contributors (who currently seems
inactive) had advertised that it was less secure, based on his Emacs 19
knowledge:
https://dev.gnupg.org/T2034#89059

Sigh.  I am really disapponted with the recent development of GnuPG
(failed attempt of standardization, immature implementation of TOFU, FUD
like this, etc).

Regards,
-- 
Daiki Ueno
This bug report was last modified 5 years and 266 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.