On 6 Feb 2009, Moritz wrote: > I think we should rather remove it altogether. The above's likely only the tip > of the iceberg.
I agree with this assessment. The version of iceweasel-firegpg that is
currently in debian sid should be removed due to its insecure writing of
data (including both decrypted cleartext *and* the user's password!) to
the filesystem.
This is not something that appears to be resolvable with a simple patch;
the way to resolve it (well, upstream's way to resolve it) is to
radically alter the way that the plugin interacts with gpg. This means
shifting from a "write-files, invoke-program, cleanup-files" approach to
a full-fledged inter-process communications model, piping data directly
to and from a child GnuPG process. If upstream's choices are the right
way to go, this appears to involve the creation of an
architecture-dependent shared object to handle the IPC itself. They
appear to have based the IPC object on the IPC used by engimail [0], and
the build process for this object is non-trivial (apparently involving
access to the firefox source during the build) [1].
> Anyone who insists to continue to use firegpg can still
> install it through the XPI installer.
Unfortunately, this is not universally true, since the xpi installer for
0.7.4 (the latest) only contains libipc.so for i386 and amd64 architectures.
If we want to continue to maintain firegpg in lenny, i think we need to
sort out how to build the IPC library separately from the firefox
sources (or to build it against an approximation of the sources, the way
that the enigmail package seems to do). Even better would be if
iceweasel-firegpg and enigmail could share a dependency on a separate
libmoz-ipc package or something. (at least until mozilla decides to
integrate libipc into their codebase [2]). I'm going to keep
investigating how to do this, but i strongly recommend in the meantime
that we remove iceweasel-firegpg 0.5 from sid, if 0.7.4 cannot be
uploaded promptly.
--dkg
[0] http://mozilla-enigmail.org/ipc/
[1] http://blog.getfiregpg.org/2008/10/17/how-to-compile-the-ipc-library/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=68702
signature.asc
Description: OpenPGP digital signature
