GNU bug report logs - #29906
27.0.50; Emacs prompts for passwords in GUI dialog instead of minibuffer

Previous Next

Package: emacs;

Reported by: nljlistbox2 <at> gmail.com (N. Jackson)

Date: Sat, 30 Dec 2017 02:13:02 UTC

Severity: minor

Tags: notabug

Found in version 27.0.50

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

Full log

Message #20 received at 29906 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Daiki Ueno <ueno <at> gnu.org>
Cc: nljlistbox2 <at> gmail.com, 29906 <at> debbugs.gnu.org
Subject: Re: bug#29906: 27.0.50;
 Emacs prompts for passwords in GUI dialog instead of minibuffer
Date: Sat, 30 Dec 2017 22:53:45 +0200

> From: Daiki Ueno <ueno <at> gnu.org>
> Cc: nljlistbox2 <at> gmail.com (N. Jackson),  29906 <at> debbugs.gnu.org
> Date: Sat, 30 Dec 2017 21:13:04 +0100
> 
> >> >   ** The pinentry.el library has been removed.
> >> >   That package (and the corresponding change in GnuPG and pinentry)
> >> >   was intended to provide a way to input passphrase through Emacs with
> >> >   GnuPG 2.0.  However, the change to support that was only implemented
> >> >   in GnuPG >= 2.1 and didn't get backported to GnuPG 2.0.  And with
> >> >   GnuPG 2.1 and later, pinentry.el is not needed at all.  So the
> >> >   library was useless, and we removed it.  GnuPG 2.0 is no longer
> >> >   supported by the upstream project.
> >> >
> >> >   To adapt to the change, you may need to set 'epa-pinentry-mode' to the
> >> >   symbol 'loopback'.
> 
> I wasn't aware of this entry.  Would it really make sense, given that
> pinentry.el was a new library introduced in Emacs 26?

??? I see pinentry.el in all versions of Emacs starting from 25.1.

> >> Yes, that does help, thank you. I should have checked the news.
> >> 
> >> It doesn't help me decide what to do though. Do you know if using
> >> the prompt in the minibuffer (using `loopback') is thought to be
> >> less secure than using the external pinentry program?
> >
> > I don't know enough about this to tell.  Daiki, any inputs?
> 
> I would say it's provides the same level of security as pinentry-gtk,
> which no longer uses secmem these days.
> 
> It's unfortunate that one of the GnuPG contributors (who currently seems
> inactive) had advertised that it was less secure, based on his Emacs 19
> knowledge:
> https://dev.gnupg.org/T2034#89059

Would you advise saying something along these lines in NEWS?

Thanks.
This bug report was last modified 5 years and 266 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.